Login Sign Up

CVE-2023-52307

8.2 HIGH
Denial of Service

📋 TL;DR

A stack overflow vulnerability in the paddle.linalg.lu_unpack function in PaddlePaddle allows attackers to cause denial of service or potentially execute arbitrary code by providing specially crafted input. This affects all users running vulnerable versions of PaddlePaddle, particularly those using this linear algebra function in their machine learning workflows.

💻 Affected Systems

Products:
  • PaddlePaddle
Versions: All versions before 2.6.0
Operating Systems: All platforms running PaddlePaddle
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the paddle.linalg.lu_unpack function with untrusted input is vulnerable.

📦 What is this software?

Paddlepaddle by Paddlepaddle

View all CVEs affecting Paddlepaddle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the stack overflow can be leveraged for arbitrary code execution.

🟠

Likely Case

Denial of service through application crashes or instability when processing malicious input.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just application crashes.

🌐 Internet-Facing: MEDIUM - Requires the vulnerable function to be exposed via an API or service, which may not be common in all deployments.
🏢 Internal Only: MEDIUM - Internal users or automated processes could trigger the vulnerability through normal usage patterns.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires calling the vulnerable function with malicious input, which may require some application-specific knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.0 and later

Vendor Advisory: https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2023-016.md

Restart Required: Yes

Instructions:

1. Upgrade PaddlePaddle to version 2.6.0 or later using pip: pip install --upgrade paddlepaddle==2.6.0 2. Restart any services or applications using PaddlePaddle.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap calls to paddle.linalg.lu_unpack with input validation to prevent malicious input

# Python code to validate input dimensions and types before calling lu_unpack

🧯 If You Can't Patch

  • Implement strict input validation for all calls to paddle.linalg.lu_unpack
  • Isolate PaddlePaddle processes in containers with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check PaddlePaddle version: python -c "import paddle; print(paddle.__version__)" - if version is less than 2.6.0, system is vulnerable.

Check Version:

python -c "import paddle; print(paddle.__version__)"

Verify Fix Applied:

After upgrade, verify version is 2.6.0 or higher using same command.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or segmentation faults when using linear algebra functions
  • Unusual memory usage patterns in PaddlePaddle processes

Network Indicators:

  • N/A - This is a local vulnerability

SIEM Query:

Process monitoring for PaddlePaddle crashes or abnormal termination

📊 Metadata

CVE ID: CVE-2023-52307
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
CWE: CWE-120
Published: January 3, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52307, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)