CVE-2019-12408
Description
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Arrow 0.14.0–0.14.1 C++ core has an uninitialized memory bug when building arrays with nulls, risking data leakage across IPC or Flight.
Root
Cause
Apache Arrow versions 0.14.0 and 0.14.1 contain an uninitialized memory bug in the C++ implementation (which also underlies the R, Python, and Ruby bindings). When building arrays that include null values in certain scenarios, memory that has not been properly initialized can be left in the array buffers [1].
Exploitation
No special authentication or network position is required beyond the ability to receive Arrow data. The vulnerability manifests when Arrow Arrays built under these conditions are serialized and transmitted—either over the wire via Arrow Flight or persisted using the streaming IPC and file formats. An attacker who can receive such serialized data may observe the uninitialized memory content [1].
Impact
Because the uninitialized memory can contain residual data from the process, an attacker could extract sensitive information that was previously stored in memory by the same application. This constitutes a confidentiality breach [1][2][3].
Mitigation
The issue is fixed in Apache Arrow 0.14.2 and later. Users of the affected versions should upgrade immediately. The advisory is also tracked in the Ruby (red-arrow) and Python (pyarrow) security databases, confirming the broad impact across language bindings [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyarrowPyPI | >= 0.14.0, < 0.15.1 | 0.15.1 |
red-arrowRubyGems | >= 0.14.0, < 0.15.1 | 0.15.1 |
Affected products
3- ghsa-coords2 versions
>= 0.14.0, < 0.15.1+ 1 more
- (no CPE)range: >= 0.14.0, < 0.15.1
- (no CPE)range: >= 0.14.0, < 0.15.1
- Apache Software Foundation/Apache Arrowv5Range: Apache Arrow 0.14.0 to 0.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-8cw2-jv5c-c825ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12408ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2019-195.yamlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12408.ymlghsaWEB
- lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3Emitrex_refsource_CONFIRM
- lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.