-
Notifications
You must be signed in to change notification settings - Fork 91
LCORE-2011: PyArrow overrides [Konflux] #1925
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
tisnik
wants to merge
1
commit into
lightspeed-core:main
Choose a base branch
from
tisnik:lcore-2011-pyarrow-overrides
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+1
−1
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟡 Minor
🧩 Analysis chain
🌐 Web query:
PyArrow 23.0.1 release notes security fixes CVE💡 Result:
The Apache Arrow 23.0.1 release, published on February 16, 2026, addresses a security vulnerability identified as CVE-2026-25087 [1][2][3]. This vulnerability is a Use After Free (UAF) issue located in the Apache Arrow C++ implementation, affecting versions 15.0.0 through 23.0.0 [2][4][5]. It can be triggered when reading an Arrow IPC file (specifically files, not IPC streams) with pre-buffering enabled, provided the file contains data with variadic buffers, such as Binary View or String View data [4][6][5]. Key technical points regarding this vulnerability include: - Trigger Mechanism: The vulnerability requires pre-buffering to be explicitly enabled via the C++ API call RecordBatchFileReader::PreBufferMetadata [2][4][5]. - Language Bindings: The Apache Arrow maintainers have stated that this functionality is not exposed in language bindings, including Python (PyArrow), Ruby, and C GLib [4][5]. Consequently, while the PyArrow package is listed in some vulnerability databases as affected (due to its dependency on the core C++ library), the Python library itself is not directly vulnerable to this exploitation [6][5][7]. - Impact: The most likely consequence is a crash or memory corruption when reading specific IPC files [4][6][5]. While exploitation for more targeted behavior, such as unauthorized data extraction, is theoretically possible, it is considered difficult and highly dependent on specific, hard-to-control memory and multi-threaded I/O patterns [4][5]. Users are advised to upgrade to Apache Arrow 23.0.1 or later to resolve the issue [4][5]. If upgrading is not immediately possible, users should either disable pre-buffering in their C++ code or ensure they are not ingesting IPC files from untrusted sources [4][5].
Citations:
Confirm the CVE fixed by the PyArrow 23.0.1 bump
Apache Arrow 23.0.1 includes the fix for CVE-2026-25087 (Use After Free in the Arrow C++ IPC implementation; affects 15.0.0–23.0.0, so
23.0.1is the resolving upgrade). The vulnerability is tied to C++ pre-buffering and isn’t directly exposed via Python bindings, but this version bump still updates the underlying Arrow C++ library.Update the PR/CVE description to explicitly name CVE-2026-25087 (and optionally mention the pre-buffering/C++-API trigger).
🤖 Prompt for AI Agents