CVE-2021-41496Classic Buffer Overflow in Numpy

CWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer12 documents9 sources
Severity
5.5MEDIUMNVD
OSV5.3
EPSS
0.0%
top 89.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
NumpyDebian NumpyMsrc Cbl2 Numpy 1.22.0-1 ON CBL Mariner 2.0+1 more
Timeline
PublishedDec 17
Latest updateDec 7

Description

Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally)

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

NVDnumpy/numpy< 1.19.0
PyPInumpy/numpy< 1.19.0+1
Ubuntunumpy/numpy< 1:1.17.4-5ubuntu3.1+1
debiandebian/numpy

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
numpy vulnerabilities2022-12-07
GHSA
Buffer Copy without Checking Size of Input in NumPy2022-02-08
OSV
Buffer Copy without Checking Size of Input in NumPy2022-02-08
OSV
CVE-2021-41496: Buffer overflow in the array_from_pyobj function of fortranobject2021-12-17
OSV
CVE-2021-41496: Buffer overflow in the array_from_pyobj function of fortranobject2021-12-17

📋Vendor Advisories

4
Ubuntu
NumPy vulnerabilities2022-12-07
Microsoft
Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19 which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative value2021-12-14
Red Hat
numpy: buffer overflow in the array_from_pyobj() in fortranobject.c2021-05-13
Debian
CVE-2021-41496: numpy - Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1...2021

🕵️Threat Intelligence

1
Tenable
Oracle July 2022 Critical Patch Update Addresses 188 CVEs2022-07-20

📄Research Papers

1
arXiv
Threat Assessment in Machine Learning based Systems2022-06-30
CVE-2021-41496 — Classic Buffer Overflow in Numpy | cvebase