awkward is vulnerable to Out-of-bounds Write
58
Medium Risk
The awkward package builds and reduces nested array layouts using Python content classes and bundled CUDA kernels that are compiled at runtime. Several of these paths access memory outside allocated buffers for certain array structures, including out-of-bounds writes in the ListOffsetArray and record-array CUDA reduction kernels, a race condition in the record-array CUDA kernel, memory corruption when an IndexedArray with empty content is garbage collected, and unsafe length handling when reconstructing layouts in ak.from_buffers. Processing crafted or malformed array data or buffers can trigger out-of-bounds reads and writes, memory corruption, or crashes. The fix adds bounds and length checks, guards concurrent CUDA writes, validates offsets against content length, and hardens buffer reconstruction.
You are affected if you are using a version that falls within the vulnerable range and your application processes untrusted or malformed Awkward Array data or buffers through the affected reduction, indexing, or buffer-reconstruction operations, or uses the CUDA (GPU) backend.
awkward is vulnerable to Out-of-bounds Write in versions 2.0.0 - 2.9.0.
Upgrade the awkward library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant