cbcvebase.
CVE-2019-6446
published 2019-01-16

CVE-2019-6446: An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
17.08%
96.7th percentile
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Affected

5 ranges
VendorProductVersion rangeFixed in
fedoraprojectfedora
googlechrome_chrome
numpynumpy<= 1.16.0
numpynumpy>= 0 < 1.16.11.16.1
numpynumpy0 – 1.16.0

Detection & IOCsextracted from sources · hover to see the quote

commandnumpy.load(..., allow_pickle=True)
sigma
rules:
- id: pickles-in-numpy
  patterns:
  - pattern: numpy.load(..., allow_pickle=$VALUE)
  - metavariable-regex:
      metavariable: $VALUE
      regex: (True|^\d*[1-9]\d*$)
  message: |
    Functions reliant on pickle can result in arbitrary code execution.
    Consider using fickling or switching to a safer serialization method.
    For more information, see https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/
  languages:
  - python
  severity: ERROR
  • Flag any call to numpy.load() where allow_pickle is set to True or any positive integer — these are the conditions that re-enable unsafe pickle deserialization and trigger the CVE-2019-6446 code-execution path.
  • In NumPy versions 1.16.0 and earlier, np.load() allowed pickles by default (allow_pickle=True implicitly), so any numpy.load() call on those versions without an explicit allow_pickle=False is suspicious.
  • The attack vector is a crafted serialized (pickle) object passed to numpy.load(); treat untrusted .npy/.npz files as potentially malicious payloads.
  • ·The vulnerability only applies to NumPy versions before 1.16.3; versions 1.16.3+ set allow_pickle=False by default, so the risk is limited to older installs or code that explicitly re-enables pickling.
  • ·Third parties dispute the severity of this issue because loading pickled arrays from trusted, authenticated sources is a legitimate use case; context of the data source matters when triaging alerts.
  • ·Red Hat OpenStack Platform ships a vulnerable numpy version but assessed it is not used in a vulnerable manner; environment-specific deployment context should be evaluated before treating all detections as exploitable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.