Intel

AIKIDO-2026-795744

numpy is vulnerable to Out-of-bounds Write

Out-of-bounds Write Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

56

Medium Risk

This Affects:

PYTHONnumpy
1.21.0 - 2.4.4
Fixed in 2.4.5
Are you affected? Scan for Free

TL;DR

NumPy's timedelta-to-string cast resolver in time_to_string_resolve_descriptors computes a fixed output string length and ignores the width of an explicitly requested fixed-width string dtype for timedelta64 inputs. When a timedelta64 array is cast to an S or U string dtype narrower than the value's textual representation, the conversion loop writes the full string past the end of the output array's heap buffer. This out-of-bounds write corrupts adjacent heap memory and can crash the process. The fix clamps the loop's output element size to the requested output dtype size.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application casts timedelta64 arrays to a fixed-width string dtype narrower than the value's string representation.

Background info

numpy is vulnerable to Out-of-bounds Write in versions 1.21.0 - 2.4.4.

How to fix this

Upgrade the numpy library to the patch version.