Vulnerabilities ›

CVE-2026-6878

Medium

CWE-264 — Weakness Type

                    Published: Apr 23, 2026                      ·  Modified: Apr 25, 2026                      ·  Source: NVD                

CVSS v3

5.6

🔗 NVD Official

📄 Description (English)

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Executive Summary

CVE-2026-6878 is a sandbox escape vulnerability in ByteDance verl versions up to 0.7.0 affecting the math_equal function in prime_math/grader.py. The vulnerability allows remote attackers to bypass sandbox restrictions, though exploitation is complex and difficult.

📄 Description (Arabic)

ثغرة في ByteDance verl تؤثر على الإصدارات حتى 0.7.0 في دالة math_equal بملف prime_math/grader.py. تسمح الثغرة بتجاوز قيود الحماية (sandbox) من خلال هجوم بعيد، لكن الاستغلال يتطلب تعقيداً عالياً. تم نشر استغلال عام للثغرة والبائع لم يستجب للإفصاح المبكر.

🤖 ملخص تنفيذي (AI)

A sandbox bypass vulnerability exists in ByteDance verl up to version 0.7.0 in the math_equal function. Remote exploitation is possible but requires high complexity and difficult execution techniques.

🤖 AI Intelligence Analysis Analyzed: May 24, 2026 23:09

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government education technology

🎯 MITRE ATT&CK Techniques

T1548 T1611 T1190

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update ByteDance verl to version 0.7.1 or later when available. Implement network segmentation to restrict remote access to systems running affected versions. Monitor for suspicious activity related to sandbox bypass attempts. Apply principle of least privilege to limit impact of potential exploitation.

🔧 خطوات المعالجة (العربية)

قم بتحديث ByteDance verl إلى الإصدار 0.7.1 أو أحدث عند توفره. طبق تقسيم الشبكة لتقييد الوصول البعيد للأنظمة التي تعمل بالإصدارات المتأثرة. راقب الأنشطة المريبة المتعلقة بمحاولات الهروب من الحماية. طبق مبدأ الامتيازات الأقل للحد من تأثير الاستغلال المحتمل.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1 A.12.6

🔵 SAMA CSF

ID.BE-1 PR.IP-1

🟡 ISO 27001:2022

A.12.2.1 A.14.2.1

🔗 References & Sources 4

🔗

https://github.com/zast-ai/vulnerability-reports/blob/main/bytedance/verl_rce.md

cna@vuldb.com

🔗

https://vuldb.com/submit/795257

cna@vuldb.com

🔗

https://vuldb.com/vuln/359040

cna@vuldb.com

🔗

https://vuldb.com/vuln/359040/cti

cna@vuldb.com

📊 CVSS Score

5.6

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.6

CWECWE-264

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-04-23

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-264

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6878

Introduce Yourself

Sign In Required