CVE-2019-6446 – NumPy versions before 1.16.3 use Python's pickl... (How to Fix)

Q: What is the severity of CVE-2019-6446?

CVE-2019-6446 has a CVSS score of 9.8 (CRITICAL). NumPy versions before 1.16.3 use Python's pickle module unsafely in numpy.load(), allowing remote attackers to execute arbitrary code via malicious serialized objects. This affects any application using NumPy to load untrusted data files. Third parties note this might be legitimate behavior for trusted sources.

📋 TL;DR

NumPy versions before 1.16.3 use Python's pickle module unsafely in numpy.load(), allowing remote attackers to execute arbitrary code via malicious serialized objects. This affects any application using NumPy to load untrusted data files. Third parties note this might be legitimate behavior for trusted sources.

💻 Affected Systems

Products:

NumPy

Versions: All versions before 1.16.3

Operating Systems: All operating systems where NumPy is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default numpy.load() behavior when processing pickle files. Applications using numpy.load() with untrusted data are vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Numpy by Numpy

View all CVEs affecting Numpy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary code execution in the context of the application using NumPy, potentially leading to data exfiltration or system takeover.

🟢

If Mitigated

Limited impact if only trusted, authenticated data sources are used with proper input validation.

🌐 Internet-Facing: HIGH if applications accept user-uploaded files or external data sources without validation.

🏢 Internal Only: MEDIUM if internal applications process untrusted data, LOW if only trusted sources are used.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to provide a malicious pickle file that gets processed by numpy.load(). No authentication needed if file upload or external data ingestion exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NumPy 1.16.3 and later

Vendor Advisory: https://numpy.org/doc/stable/release/1.16.3-notes.html

Restart Required: No

Instructions:

1. Upgrade NumPy to version 1.16.3 or later using pip: 'pip install --upgrade numpy>=1.16.3'. 2. For system packages, use your package manager: 'apt-get update && apt-get install python3-numpy' (Debian/Ubuntu) or 'yum update numpy' (RHEL/CentOS). 3. Verify installation with 'python -c "import numpy; print(numpy.__version__)"'.

🔧 Temporary Workarounds

Use allow_pickle=False parameter

all

Disable pickle loading in numpy.load() by setting allow_pickle=False when loading untrusted data.

numpy.load('file.npy', allow_pickle=False)

Validate data sources

all

Only load data from trusted, authenticated sources and implement strict file validation.

🧯 If You Can't Patch

Implement strict input validation: only accept files from trusted sources and use file type verification.
Use application-level sandboxing or containerization to limit potential damage from exploitation.

🔍 How to Verify

Check if Vulnerable:

Check NumPy version: 'python -c "import numpy; print(numpy.__version__)"'. If version is below 1.16.3, system is vulnerable.

Check Version:

python -c "import numpy; print(numpy.__version__)"

Verify Fix Applied:

After patching, verify version is 1.16.3 or higher using the same command. Test numpy.load() with allow_pickle=False in code.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to applications using NumPy
Unexpected process execution from Python applications
Errors in application logs related to numpy.load() failures

Network Indicators:

Unexpected outbound connections from applications after file processing
Data exfiltration patterns

SIEM Query:

source="application_logs" AND (numpy.load OR pickle.load) AND (file_upload OR external_source)

📊 Metadata

CVE ID: CVE-2019-6446

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 16, 2019

Last Updated: July 21, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html
http://www.securityfocus.com/bid/106670 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3704
https://bugzilla.suse.com/show_bug.cgi?id=1122208 Exploit,Issue Tracking,Third Party Advisory
https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffb
https://github.com/numpy/numpy/issues/12759 Exploit,Issue Tracking,Third Party Advisory
https://github.com/numpy/numpy/pull/12889
https://github.com/numpy/numpy/pull/13359
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00091.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00092.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00015.html
http://www.securityfocus.com/bid/106670 Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2019:3335
https://access.redhat.com/errata/RHSA-2019:3704
https://bugzilla.suse.com/show_bug.cgi?id=1122208 Exploit,Issue Tracking,Third Party Advisory
https://github.com/numpy/numpy/issues/12759 Exploit,Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZZAYIQNUUYXGMKHSPEEXS4TRYFOUYE4/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6446, you might also want to check these: