CVE-2026-41486 Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types ray.data.arrowtensor, ray.data.arrowtensorv2, ray.data.arrowvariableshapedtensor globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension type...

CVE-2026-41486

Ray contains a remote code execution flaw (CVE-2026-41486) observed in Ray 2.49.0–2.54.0 where PyArrow reads Parquet extension types in metadata and Ray passes the bytes to cloudpickle.loads() during schema parsing, enabling arbitrary code execution before any row data is read. The issue affects ...

Deserialization of Untrusted Data

Overview ray is an A system for parallel and distributed Python that unifies the ML ecosystem. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization of Parquet Arrow extension type metadata via the cloudpickle.loads function. An attacker can...

OSV-2020-1894 Heap-buffer-overflow in parquet::arrow::ApplyOriginalStorageMetadata

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26064 Crash type: Heap-buffer-overflow READ 4 Crash state: parquet::arrow::ApplyOriginalStorageMetadata parquet::arrow::SchemaManifest::Make parquet::arrow::FileReader::Make...

arrow:parquet-arrow-fuzz: Heap-buffer-overflow in parquet::SerializedPageReader::DecompressIfNeeded

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5086499571499008 Project: arrow Fuzzing Engine: libFuzzer Fuzz Target: parquet-arrow-fuzz Job Type: libfuzzerasanarrow Platform Id: linux Crash Type: Heap-buffer-overflow READ Crash Address:...

arrow:parquet-arrow-fuzz: Global-buffer-overflow in WriteRingBuffer

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5737307070791680 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: Global-buffer-overflow WRITE Crash Address: 0x000002cac164 Cras...

arrow:parquet-arrow-fuzz: Heap-buffer-overflow in parquet::arrow::SchemaManifest::Make

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=4747568180101120 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x602000000b80 Crash...

arrow:parquet-arrow-fuzz: Heap-buffer-overflow in int arrow::BitUtil::BitReader::GetBatch<short>

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5736510608637952 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 8 Crash Address: 0x625000054905 Cras...

arrow:parquet-arrow-fuzz: Container-overflow in parquet::schema::Unflatten

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5110585828311040 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: Container-overflow READ 4 Crash Address: 0x61e0000840b0 Crash...

arrow:parquet-arrow-fuzz: Crash in arrow::BufferBuilder::Append

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5671667462569984 Project: arrow Fuzzing Engine: libFuzzer Fuzz Target: parquet-arrow-fuzz Job Type: libfuzzerubsanarrow Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x009a00000097 Crash...

arrow:parquet-arrow-fuzz: Crash in arrow::internal::unpack32

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5110081396146176 Project: arrow Fuzzing Engine: libFuzzer Fuzz Target: parquet-arrow-fuzz Job Type: libfuzzerasanarrow Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7fff1f4fc85c Crash...

arrow:parquet-arrow-fuzz: Heap-buffer-overflow in bool arrow::util::RleDecoder::NextCounts<int>

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5157653963866112 Project: arrow Fuzzing Engine: libFuzzer Fuzz Target: parquet-arrow-fuzz Job Type: libfuzzerasanarrow Platform Id: linux Crash Type: Heap-buffer-overflow WRITE Crash Address:...

arrow:parquet-arrow-fuzz: Heap-use-after-free in int arrow::BitUtil::BitReader::GetBatch<short>

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5700669229236224 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: Heap-use-after-free WRITE 2 Crash Address: 0x62500027623a Crash...

arrow:parquet-arrow-fuzz: Crash in apache::thrift::protocol::TCompactProtocolT<apache::thrift::transport::TMemoryBu

Project: https://github.com/apache/arrow.git Detailed Report: https://oss-fuzz.com/testcase?key=5726334745837568 Project: arrow Fuzzing Engine: afl Fuzz Target: parquet-arrow-fuzz Job Type: aflasanarrow Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x619f000f05b0 Crash State:...