CVE-2021-41495

Advisory

Numpy 1.22.2 includes a fix for CVE-2021-41495: Null Pointer Dereference vulnerability exists in numpy.sort in NumPy in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays.
NOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place.
NOTE2: The specs we include in this advisory differ from the publicly available on other sources. For example, the advisory posted by the NVD indicate that versions up to and including 1.19.0 are affected. However, research by Safety CLI Cybersecurity confirms that the vulnerability remained unaddressed until version 1.22.2.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41495
• https://github.com/numpy/numpy/issues/19038
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://github.com/numpy/numpy/commit/ac87f071f5fcf05b6a28bcf4ba7eb965daa6959a
• https://github.com/numpy/numpy/commit/c12001c617b7afbad892b8f3427d79ee4b5b0472
• https://github.com/numpy/numpy/blob/main/doc/source/release/1.22.2-notes.rst