CVE-2026-25087
📋 TL;DR
A Use After Free vulnerability in Apache Arrow C++ allows memory corruption when reading Arrow IPC files with pre-buffering enabled. This affects C++ applications using Arrow versions 15.0.0 through 23.0.0 that enable pre-buffering on IPC file readers. Language bindings (Python, Ruby, C GLib) are not vulnerable as the functionality isn't exposed.
💻 Affected Systems
- Apache Arrow C++
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Memory corruption leading to arbitrary code execution or confidential data extraction from the running process, though this requires specific memory allocation patterns unlikely to be attacker-controlled.
Likely Case
Random crashes or denial of service when reading malicious IPC files from untrusted sources.
If Mitigated
No impact if pre-buffering is disabled or patched version is used.
🎯 Exploit Status
Exploitation requires specific memory allocation patterns and multi-threaded IO timing that are difficult for attackers to control.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.0.1
Vendor Advisory: https://lists.apache.org/thread/mpm4ld1qony30tchfpjtk5b11tcyvmwh
Restart Required: Yes
Instructions:
1. Upgrade Apache Arrow C++ to version 23.0.1 or later. 2. Recompile and redeploy affected applications. 3. Restart services using the patched library.
🔧 Temporary Workarounds
Disable pre-buffering
allDisable pre-buffering on IPC file readers to prevent triggering the vulnerability
Remove or disable calls to RecordBatchFileReader::PreBufferMetadata in your code
🧯 If You Can't Patch
- Disable pre-buffering on all IPC file readers
- Validate and sanitize all IPC files from untrusted sources before processing
🔍 How to Verify
Check if Vulnerable:
Check if your code calls RecordBatchFileReader::PreBufferMetadata and verify Arrow C++ version is between 15.0.0 and 23.0.0Check Version:
Check your build configuration or use: arrow --version (if available) or check package managerVerify Fix Applied:
Verify Arrow C++ version is 23.0.1 or later and confirm pre-buffering is either disabled or no longer causes crashes with test IPC files📡 Detection & Monitoring
Log Indicators:
- Segmentation faults, memory access violations, or crashes when processing IPC files
Network Indicators:
- Incoming IPC file transfers to vulnerable services
SIEM Query:
Process crashes with arrow-related modules or IPC file processing errors