Apache Arrow C++ Use-After-Free Vulnerability in IPC File Reader with Pre-Buffering Enabled

A use-after-free vulnerability has been identified in Apache Arrow C++ versions 15.0.0 prior to 23.0.0. This issue arises when reading an Arrow IPC file, as opposed to an IPC stream, with pre-buffering enabled. The vulnerability is triggered if the IPC file contains data with variadic buffers, such as Binary View and String View data. Under these conditions, and depending on the number of variadic buffers in a record batch column and the timing of multi-threaded I/O operations, a write to a dangling pointer could occur. The overwritten pointer is not directly controlled by the attacker, but could lead to random crashes or memory corruption. If the application processes IPC files from untrusted sources, this vulnerability could be exploited to cause a denial-of-service. More targeted exploitation, such as extracting confidential data from the running process, would depend on specific memory allocation patterns and the timing of I/O operations, which are difficult for an attacker to manipulate.

Impact

Exploitation of this vulnerability could result in random crashes or memory corruption when reading certain IPC files. In applications that accept IPC files from untrusted sources, this vulnerability could be used to cause a denial-of-service. Additionally, there is a potential for more targeted exploitation, such as extracting confidential data from the running process, although this would depend on specific and unlikely-to-control factors.

Remediation

Users of Apache Arrow C++ should check if pre-buffering is enabled on the IPC file reader. If it is, they can either disable pre-buffering, which may negatively impact performance, or upgrade to Apache Arrow version 23.0.1, which is not vulnerable.