VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 17, 2021· Updated Aug 3, 2024

CVE-2021-33430

CVE-2021-33430

Description

NumPy 1.9.x buffer overflow in PyArray_NewFromDescr_int when arrays with >32 dimensions are created via complex structured dtypes, leading to denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NumPy 1.9.x buffer overflow in PyArray_NewFromDescr_int when arrays with >32 dimensions are created via complex structured dtypes, leading to denial of service.

Vulnerability

A buffer overflow vulnerability exists in NumPy versions 1.9.x in the PyArray_NewFromDescr_int function within ctors.c [1][4]. The flaw occurs when an array with more than 32 dimensions is created from Python code, as the function uses fixed-size stack buffers (newdims and newstrides) of size 2*NPY_MAXDIMS (where NPY_MAXDIMS is 32) but passes the actual number of dimensions (nd) to memcpy without bounds checking [4]. The code path is triggered via calls such as array_new, PyArray_Zeros, or array_fromfile when processing arrays with subarray dtypes [4].

Exploitation

Exploitation requires an attacker to craft Python code that creates a NumPy array with more than 32 dimensions using the uncommon API of complicated structured dtypes [1]. The attacker must have the ability to execute arbitrary Python code and invoke NumPy's array creation functions with a high-dimension argument. No special network position or user interaction beyond running the malicious script is needed [1]. The buffer overflow is provoked by the memcpy operations copying nd*sizeof(npy_intp) bytes into a buffer that can only hold up to NPY_MAXDIMS entries [4].

Impact

A successful overflow can corrupt stack memory, potentially leading to a denial of service (DoS) via application crash [1][4]. The vendor disputes this as a vulnerability, arguing that: (a) triggering it requires an already-privileged attacker who can exhaust memory anyway, and (b) the use of uncommon structured dtype APIs makes exploitation very unlikely for unprivileged users [1]. No arbitrary code execution or information disclosure is known from this bug.

Mitigation

No official patch has been released for the 1.9.x branch, which is now end-of-life [1][2]. Users should upgrade to a supported NumPy version (e.g., 1.22 or later) that does not include this code path [2]. As a workaround, avoid creating arrays with more than 32 dimensions when using structured dtypes [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the last advisory.

References
  1. NVD - CVE-2021-33430
  2. GitHub - numpy/numpy: The fundamental package for scientific computing with Python.
  3. Potential buffer overflow in PyArray_NewFromDescr_int of ctors.c

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
numpyPyPI
>= 1.9.0, < 1.211.21

Affected products

71

Patches

1
ae317fd9ff3e

Merge pull request #18989 from yetanothercheer/gh-18939-potential_buffer_overflow

https://github.com/numpy/numpyCharles HarrisMay 11, 2021via ghsa
commit
1 file changed · +8 8
  • numpy/core/src/multiarray/ctors.c+8 8 modified
    @@ -668,6 +668,14 @@ PyArray_NewFromDescr_int(
     int i;
     npy_intp nbytes;
 
+    if ((unsigned int)nd > (unsigned int)NPY_MAXDIMS) {
+        PyErr_Format(PyExc_ValueError,
+                     "number of dimensions must be within [0, %d]",
+                     NPY_MAXDIMS);
+        Py_DECREF(descr);
+        return NULL;
+    }
+
     if (descr->subarray) {
         PyObject *ret;
         npy_intp newdims[2*NPY_MAXDIMS];
@@ -687,14 +695,6 @@ PyArray_NewFromDescr_int(
         return ret;
     }
 
-    if ((unsigned int)nd > (unsigned int)NPY_MAXDIMS) {
-        PyErr_Format(PyExc_ValueError,
-                     "number of dimensions must be within [0, %d]",
-                     NPY_MAXDIMS);
-        Py_DECREF(descr);
-        return NULL;
-    }
-
     /* Check datatype element size */
     nbytes = descr->elsize;
     if (PyDataType_ISUNSIZED(descr)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.