CVE-2019-12410
Description
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Arrow 0.12.0–0.14.1 leaves memory uninitialized when reading RLE null data from Parquet, potentially leaking sensitive data via IPC/Flight.
Vulnerability
Overview
CVE-2019-12410 is an uninitialized memory vulnerability in Apache Arrow versions 0.12.0 through 0.14.1. The bug resides in the C++ implementation and affects the Python, Ruby, and R bindings. When reading run-length encoded (RLE) null data from Parquet files, the Arrow library fails to initialize the memory backing array data, leaving it in an undefined state [1][4].
Exploitation
Scenario
An attacker does not need direct access to the vulnerable system; the risk arises when uninitialized memory is serialized and transmitted. Arrow arrays containing this uninitialized data can be sent over the network using the Arrow Flight RPC protocol or persisted via the streaming IPC and file formats [1][2]. To exploit this, an attacker would need to be able to receive or read such serialized Arrow data, which could occur if an Arrow-based service exposes endpoints for data exchange or stores files in a shared location [4].
Impact
If the uninitialized memory contains sensitive information (e.g., passwords, cryptographic keys, private data from other processes or previous allocations), that information could be unintentionally disclosed to recipients of the Arrow data. The vulnerability does not affect data persisted to the Apache Parquet file format itself, only the Arrow in-memory representation and its derivatives [4].
Mitigation
The Apache Arrow project patched this issue in version 0.15.1 [4]. Users are strongly advised to upgrade to 0.15.1 or later. No workarounds are documented; upgrading is the recommended remediation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyarrowPyPI | >= 0.12.0, < 0.15.1 | 0.15.1 |
red-arrowRubyGems | >= 0.12.0, < 0.15.1 | 0.15.1 |
Affected products
3- ghsa-coords2 versions
>= 0.12.0, < 0.15.1+ 1 more
- (no CPE)range: >= 0.12.0, < 0.15.1
- (no CPE)range: >= 0.12.0, < 0.15.1
- Apache Software Foundation/Apache Arrowv5Range: Apache Arrow 0.12.0 to 0.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-cjw4-2w9r-r8mvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12410ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/11/08/1ghsamailing-listx_refsource_MLISTWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2019-196.yamlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/red-arrow/CVE-2019-12410.ymlghsaWEB
- lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269%40%3Cdev.arrow.apache.org%3Emitremailing-listx_refsource_MLISTx_refsource_CONFIRM
- lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3EghsaWEB
- lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.