updating CVE number

Author: seperman

AUTHORS.md

@@ -76,4 +76,4 @@ Authors in order of the timeline of their contributions:
 - [Jim Cipar](https://github.com/jcipar) for the fix recursion depth limit when hashing numpy.datetime64
 - [Enji Cooper](https://github.com/ngie-eign) for converting legacy setuptools use to pyproject.toml
 - [Diogo Correia](https://github.com/diogotcorreia) for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
-- [am-periphery](https://github.com/am-periphery) for reporting CVE-2025-58367: denial-of-service via crafted pickle payloads triggering massive memory allocation.
+- [am-periphery](https://github.com/am-periphery) for reporting CVE-2026-33155: denial-of-service via crafted pickle payloads triggering massive memory allocation.

CHANGELOG.md

@@ -1,7 +1,7 @@
 # DeepDiff Change log
 
 - v8-6-2
-    - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like `bytes()` and `bytearray()` are now wrapped to reject allocations exceeding 128 MB.
+    - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like `bytes()` and `bytearray()` are now wrapped to reject allocations exceeding 128 MB.
 
 - v8-6-1
     - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).

README.md

@@ -24,7 +24,7 @@ Tested on Python 3.9+ and PyPy3.
 Please check the [ChangeLog](CHANGELOG.md) file for the detailed information.
 
 DeepDiff 8-6-2
-- **Security (CVE-2025-58367):** Fixed a memory exhaustion DoS vulnerability in `_RestrictedUnpickler` by limiting the maximum allocation size for `bytes` and `bytearray` during deserialization.
+- **Security (CVE-2026-33155):** Fixed a memory exhaustion DoS vulnerability in `_RestrictedUnpickler` by limiting the maximum allocation size for `bytes` and `bytearray` during deserialization.
 
 DeepDiff 8-6-1
 - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).

deepdiff/serialization.py

@@ -333,7 +333,7 @@ def pretty(self, prefix: Optional[Union[str, Callable]]=None):
 
 # Maximum size allowed for integer arguments to constructors that allocate
 # memory proportional to the argument (e.g. bytes(n), bytearray(n)).
-# This prevents denial-of-service via crafted pickle payloads. (CVE-2025-58367)
+# This prevents denial-of-service via crafted pickle payloads. (CVE-2026-33155)
 _MAX_ALLOC_SIZE = 128 * 1024 * 1024  # 128 MB
 
 # Callables where an integer argument directly controls memory allocation size.

docs/authors.rst

@@ -118,7 +118,7 @@ and polars support.
 - `Enji Cooper <https://github.com/ngie-eign>`__ for converting legacy
   setuptools use to pyproject.toml
 - `Diogo Correia <https://github.com/diogotcorreia>`__ for reporting security vulnerability in Delta and DeepDiff that could allow remote code execution.
-- `am-periphery <https://github.com/am-periphery>`__ for reporting CVE-2025-58367: denial-of-service via crafted pickle payloads triggering massive memory allocation.
+- `am-periphery <https://github.com/am-periphery>`__ for reporting CVE-2026-33155: denial-of-service via crafted pickle payloads triggering massive memory allocation.
 
 
 .. _Sep Dehpour (Seperman): http://www.zepworks.com

docs/changelog.rst

@@ -6,7 +6,7 @@ Changelog
 DeepDiff Changelog
 
 - v8-6-2
-   - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
+   - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
 
 - v8-6-1
    - Patched security vulnerability in the Delta class which was vulnerable to class pollution via its constructor, and when combined with a gadget available in DeltaDiff itself, it could lead to Denial of Service and Remote Code Execution (via insecure Pickle deserialization).

docs/index.rst

@@ -34,7 +34,7 @@ What Is New
 DeepDiff 8-6-2
 --------------
 
-    - Security fix (CVE-2025-58367): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
+    - Security fix (CVE-2026-33155): Prevent denial-of-service via crafted pickle payloads that trigger massive memory allocation through the REDUCE opcode. Size-sensitive callables like ``bytes()`` and ``bytearray()`` are now wrapped to reject allocations exceeding 128 MB.
 
 DeepDiff 8-6-1
 --------------

tests/test_serialization.py

@@ -159,7 +159,7 @@ class TestPicklingSecurity:
 
     @pytest.mark.skipif(sys.platform == "win32", reason="Resource module is Unix-only")
     def test_restricted_unpickler_memory_exhaustion_cve(self):
-        """CVE-2025-58367: Prevent DoS via massive allocation through REDUCE opcode.
+        """CVE-2026-33155: Prevent DoS via massive allocation through REDUCE opcode.
 
         The payload calls bytes(10_000_000_000) which is allowed by find_class
         but would allocate ~9.3GB of memory. The fix should reject this before