MLX Heap Buffer Overflow Vulnerability in NumPy .npy File Parsing
Vulnerability
A heap buffer overflow vulnerability has been identified in MLX, an array framework for machine learning on Apple silicon, prior to version 0.29.4. The issue arises in the 'mlx::core::load()' function when the parser processes malicious NumPy .npy files. This vulnerability allows for a 13-byte out-of-bounds read, which can lead to a crash or potential information disclosure.
Impact
Exploitation of this vulnerability causes a heap buffer overflow, resulting in a crash and a possible 13-byte leak of heap memory.
Reproduction
The vulnerability can be reproduced by creating a malicious .npy file that exploits the buffer overflow. This can be done by crafting a file that includes a specially formatted header, which the MLX parser will read incorrectly, leading to an out-of-bounds memory access. The AddressSanitizer can be used to verify the heap-buffer-overflow error.
Remediation
Users should update to MLX version 0.29.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.