CVE-2020-28975

Name of the Vulnerable Software and Affected Versions Libsvm version v324 scikit-learn version 0.23.2

Description The issue is related to the svm predict values function in svm.cpp of Libsvm, which can cause a denial of service (segmentation fault) when a crafted model SVM with a large value in the n support array is introduced. This can occur via pickle, json, or any other model permanence standard. The scikit-learn vendor notes that this behavior can only happen if the library's API is violated by an application that changes a private attribute.

Recommendations For Libsvm version v324, consider disabling the svm predict values function until a patch is available. For scikit-learn version 0.23.2, avoid using the n support array in the affected svm predict values function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.