CVE-2026-25087

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file but not an IPC stream with pre-buffering enabled, if the IPC file contains data with variadic buffers such as Binary View and String...

AZL-53471 CVE-2024-52338 affecting package libarrow for versions less than 15.0.0-7

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example, user-supplied input files. This...

PYSEC-2023-238

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example user-supplied input files...

Deserialization Of Untrusted Data

pyarrow is vulnerable to Deserialization Of Untrusted Data. The vulnerability due to the Arrow IPC, Feather or Parquet data from untrusted sources as the library does not by default disable the PyExtensionType autoloading. This allows an attacker to create PyArrow-specific extension types which...

OSV-2020-1159 Segv on unknown address in arrow::ipc::ReadMessage

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20124 Crash type: Segv on unknown address Crash state: arrow::ipc::ReadMessage arrow::ipc::RecordBatchFileReader::RecordBatchFileReaderImpl::ReadMessageFromBlo...

OSV-2020-1047 UNKNOWN READ in arrow::ipc::internal::FieldFromFlatbuffer

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20123 Crash type: UNKNOWN READ Crash state: arrow::ipc::internal::FieldFromFlatbuffer arrow::ipc::internal::FieldFromFlatbuffer arrow::ipc::internal::GetSchema...