PT-2019-1615 · Numpy+6 · Numpy+6

Nanshihui

·

Published

2019-01-16

·

Updated

2025-09-29

·

CVE-2019-6446

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions NumPy versions 1.16.0 and earlier
Description An issue was discovered in NumPy where it uses the pickle Python module unsafely. This allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. The issue is disputed by third parties because it might have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.
Recommendations For NumPy versions 1.16.0 and earlier, consider avoiding the use of the pickle Python module or restricting the loading of serialized objects to trusted sources until a fix is available. As a temporary workaround, consider disabling the use of numpy.load for untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Deserialization of Untrusted Data

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2019:3335
ALSA-2019_3335
ALSA-2025_16880
BDU:2019-01157
CESA-2019_3335
CESA-2019_3704
CVE-2019-6446
ELSA-2019-3335
ELSA-2019-3704
GHSA-9FQ2-X9R6-WFMF
MGASA-2019-0322
OPENSUSE-SU-2019:0245-1
OPENSUSE-SU-2019:2225-1
OPENSUSE-SU-2019:2227-1
OPENSUSE-SU-2019:2259-1
OPENSUSE-SU-2019_0245-1
OPENSUSE-SU-2019_2225-1
OPENSUSE-SU-2019_2227-1
OPENSUSE-SU-2024:11243-1
OPENSUSE-SU-2024:13820-1
OPENSUSE-SU-2024:14311-1
PYSEC-2019-108
RHSA-2019:3335
RHSA-2019:3704
RHSA-2019_3335
RHSA-2019_3704
RLSA-2019:3335
RLSA-2019:3704
RLSA-2019_3335
RLSA-2019_3704
SUSE-SU-2019:0418-1
SUSE-SU-2019:0419-1
SUSE-SU-2019:0448-1
SUSE-SU-2019:13951-1
SUSE-SU-2019:13977-1
SUSE-SU-2019:2462-1
SUSE-SU-2019:2462-2
SUSE-SU-2019_0418-1
SUSE-SU-2019_0419-1
SUSE-SU-2019_0448-1
SUSE-SU-2019_13951-1
SUSE-SU-2019_2462-1
SUSE-SU-2019_2462-2

Affected Products

Almalinux
Centos
Numpy
Red Hat
Rocky Linux
Suse
Pickle