CVE-2021-33430Classic Buffer Overflow in Numpy

CWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 61.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NumpyDebian Numpy
Timeline
PublishedDec 17
Latest updateDec 7

Description

A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages5 packages

PyPInumpy/numpy1.9.01.10.0+1
debiandebian/numpy< numpy 1:1.21.4-2 (bookworm)
Debiannumpy/numpy< 1:1.21.4-2+2
Ubuntunumpy/numpy< 1:1.17.4-5ubuntu3.1+1
NVDnumpy/numpy1.9.01.9.3

🔴Vulnerability Details

5
OSV
numpy vulnerabilities2022-12-07
OSV
NumPy Buffer Overflow (Disputed)2022-01-07
GHSA
NumPy Buffer Overflow (Disputed)2022-01-07
OSV
CVE-2021-33430: A Buffer Overflow vulnerability exists in NumPy 12021-12-17
OSV
CVE-2021-33430: A Buffer Overflow vulnerability exists in NumPy 12021-12-17

📋Vendor Advisories

3
Ubuntu
NumPy vulnerabilities2022-12-07
Red Hat
numpy: buffer overflow in the PyArray_NewFromDescr_int() in ctors.c2021-05-07
Debian
CVE-2021-33430: numpy - A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDesc...2021

📄Research Papers

1
arXiv
Threat Assessment in Machine Learning based Systems2022-06-30
CVE-2021-33430 — Classic Buffer Overflow in Numpy | cvebase