Description
Use After Free vulnerability in Apache Arrow C++.

This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a `std::shared_ptr<Buffer>` object) that is written to the dangling pointer is not under direct control of the attacker.

Pre-buffering is disabled by default but can be enabled using a specific C++ API call (`RecordBatchFileReader::PreBufferMetadata`). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.

The most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the application allows ingesting IPC files from untrusted sources, this could plausibly be exploited for denial of service. Inducing more targeted kinds of misbehavior (such as confidential data extraction from the running process) depends on memory allocation and multi-threaded IO temporal patterns that are unlikely to be easily controlled by an attacker.

Advice for users of Arrow C++:

1. check whether you enable pre-buffering on the IPC file reader (using `RecordBatchFileReader::PreBufferMetadata`)

2. if so, either disable pre-buffering (which may have adverse performance consequences), or switch to Arrow 23.0.1 which is not vulnerable
Published: 2026-02-17
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via use‑after‑free
Action: Patch Upgrade
AI Analysis

Impact

A use‑after‑free flaw exists in Apache Arrow C++ when reading IPC files that contain variadic buffers and the reader’s pre‑buffering feature is enabled. The vulnerability can cause a write to a dangling pointer, resulting in memory corruption or random crashes. Although the value written is not directly attacker controlled, the effect can lead to denial of service or, in rare assembly patterns, potential confidentiality leakage in a running process. The weakness corresponds to CWE‑416 and CWE‑825.

Affected Systems

Apache Arrow C++ library versions 15.0.0 through 23.0.0 are affected when the C++ API RecordBatchFileReader::PreBufferMetadata is used to enable pre‑buffering. Language bindings such as Python, Ruby, and C GLib do not expose the vulnerable API and are therefore not vulnerable. Any application that incorporates these C++ versions and ingests IPC files from untrusted sources could be impacted.

Risk and Exploitability

The CVSS score is 7, indicating high severity, but the EPSS score of less than 1 % suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attack route requires an attacker to supply a specially crafted IPC file to an application that has enabled pre‑buffering via the C++ API; this is typically an internal or local threat. The most probable consequence is application crashes or service disruption, with remote code execution being improbable unless additional memory corruption conditions are met.

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Arrow to version 23.0.1 or later to eliminate the use‑after‑free flaw
  • If the upgrade cannot be performed immediately, disable pre‑buffering by avoiding a call to RecordBatchFileReader::PreBufferMetadata
  • Restrict ingestion of IPC files to trusted sources and validate file integrity before processing

Generated by OpenCVE AI on April 17, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:arrow:*:*:*:*:*:*:*:*

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache arrow
Vendors & Products Apache
Apache arrow

Wed, 18 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 17 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a `std::shared_ptr<Buffer>` object) that is written to the dangling pointer is not under direct control of the attacker. Pre-buffering is disabled by default but can be enabled using a specific C++ API call (`RecordBatchFileReader::PreBufferMetadata`). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable. The most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the application allows ingesting IPC files from untrusted sources, this could plausibly be exploited for denial of service. Inducing more targeted kinds of misbehavior (such as confidential data extraction from the running process) depends on memory allocation and multi-threaded IO temporal patterns that are unlikely to be easily controlled by an attacker. Advice for users of Arrow C++: 1. check whether you enable pre-buffering on the IPC file reader (using `RecordBatchFileReader::PreBufferMetadata`) 2. if so, either disable pre-buffering (which may have adverse performance consequences), or switch to Arrow 23.0.1 which is not vulnerable
Title Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering
Weaknesses CWE-416
References

Subscriptions

Apache Arrow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-20T09:56:43.018Z

Reserved: 2026-01-29T09:18:06.955Z

Link: CVE-2026-25087

cve-icon Vulnrichment

Updated: 2026-02-17T18:17:44.990Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-17T14:16:01.947

Modified: 2026-03-11T15:20:20.067

Link: CVE-2026-25087

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-17T13:18:25Z

Links: CVE-2026-25087 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses