CVE-2021-33430

low-risk
Published 2021-12-17

A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service. NOTE: The vendor does not agree this is a vulneraility; In (very limited) circumstances a user may be able provoke the buffer overflow, the user is most likely already privileged to at least provoke denial of service by exhausting memory. Triggering this further requires the use of uncommon API (complicated structured dtypes), which is very unlikely to be available to an unprivileged user

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Numpy

Affected Vendors

Numpy

References (2)

Exploit https://github.com/numpy/numpy/issues/18939
Exploit https://github.com/numpy/numpy/issues/18939
23
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal