Intel

AIKIDO-2026-741515

awkward is vulnerable to Out-of-bounds Write

Out-of-bounds Write Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

58

Medium Risk

This Affects:

PYTHONawkward
2.0.0 - 2.9.0
Fixed in 2.9.1
Are you affected? Scan for Free

TL;DR

The awkward package builds and reduces nested array layouts using Python content classes and bundled CUDA kernels that are compiled at runtime. Several of these paths access memory outside allocated buffers for certain array structures, including out-of-bounds writes in the ListOffsetArray and record-array CUDA reduction kernels, a race condition in the record-array CUDA kernel, memory corruption when an IndexedArray with empty content is garbage collected, and unsafe length handling when reconstructing layouts in ak.from_buffers. Processing crafted or malformed array data or buffers can trigger out-of-bounds reads and writes, memory corruption, or crashes. The fix adds bounds and length checks, guards concurrent CUDA writes, validates offsets against content length, and hardens buffer reconstruction.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application processes untrusted or malformed Awkward Array data or buffers through the affected reduction, indexing, or buffer-reconstruction operations, or uses the CUDA (GPU) backend.

Background info

awkward is vulnerable to Out-of-bounds Write in versions 2.0.0 - 2.9.0.

How to fix this

Upgrade the awkward library to the patch version.