What is the CVSS score of CVE-2026-25087?

CVE-2026-25087 has a contested CVSS base score of 7.0 from a third party (e.g. CISA-ADP), while the vendor rates it High. vuln.today uses the vendor rating as authoritative.

Which versions of Python are affected by CVE-2026-25087?

Apache Arrow C++ versions 15.0.0 through 23.0.0 contain a Use After Free vulnerability that could allow attackers to execute arbitrary code or cause denial of service on systems using affected…. A patch is available.

How to fix or mitigate CVE-2026-25087?

Within 24 hours: Inventory all systems and applications using Apache Arrow C++ versions 15.0.0-23.0.0 and assess exposure in production environments. Within 7 days: Deploy available patches to all affected systems, prioritizing internet-facing and data-processing infrastructure. Within 30 days: Complete patching across all environments including development and testing systems, and validate functionality post-patch.

Python CVE-2026-25087

HIGH

Use After Free (CWE-416)

2026-02-17 security@apache.org

GHSA-rgxp-2hwp-jwgg

Apache Python Ruby Use After Free Memory Corruption Denial Of Service Arrow Red Hat Suse

High

Disputed · 7.0 NVD

Severity by source

Sources disagree (Low–High)

NVD PRIMARY

7.0 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

SUSE

3.1 LOW

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Red Hat

5.3 MEDIUM

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Mar 11, 2026 - 15:20 nvd

Patch available

CVE Published

Feb 17, 2026 - 14:16 nvd

HIGH 7.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

70 pypi packages depend on pyarrow (56 direct, 15 indirect)

Ecosystem-wide dependent count for version 15.0.0.

DescriptionCVE.org

Use After Free vulnerability in Apache Arrow C++.

This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a std::shared_ptr<Buffer> object) that is written to the dangling pointer is not under direct control of the attacker.

Pre-buffering is disabled by default but can be enabled using a specific C++ API call (RecordBatchFileReader::PreBufferMetadata). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.

The most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the application allows ingesting IPC files from untrusted sources, this could plausibly be exploited for denial of service. Inducing more targeted kinds of misbehavior (such as confidential data extraction from the running process) depends on memory allocation and multi-threaded IO temporal patterns that are unlikely to be easily controlled by an attacker.

Advice for users of Arrow C++:

check whether you enable pre-buffering on the IPC file reader (using RecordBatchFileReader::PreBufferMetadata)
if so, either disable pre-buffering (which may have adverse performance consequences), or switch to Arrow 23.0.1 which is not vulnerable

AnalysisAI

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious Arrow IPC file

Delivery

Include variadic buffers in record batch

Exploit

Trigger pre-buffering during read

Execution

Write to dangling pointer

Impact

Cause memory corruption

Access

Craft malicious Arrow IPC file

Delivery

Include variadic buffers in record batch

Exploit

Trigger pre-buffering during read

Execution

Write to dangling pointer

Impact

Cause memory corruption

Vulnerability AssessmentAI

Exploitation	Apache Arrow C++ versions 15.0.0 through 23.0.0 with pre-buffering enabled, reading IPC files (not streams) containing Binary View or String View data with variadic buffers in record batch columns, requiring specific multi-threaded IO timing conditions. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.0 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems and applications using Apache Arrow C++ versions 15.0.0-23.0.0 and assess exposure in production environments. …

Threat intelligence, references, and detailed analysis are available after sign-in.