CVE-2025-3145

Vulnerability

Analysis

The vulnerability is a memory corruption issue in MindSpore version 2.5.0, specifically within the mindspore.numpy.fft.rfft2 function. The problem is classified as problematic with a low severity (CVSS 3.3). According to the advisory, the function's implementation can lead to memory corruption, which manifests as a segmentation fault during execution. The root cause appears to be improper memory handling, as reported in the MindSpore issue tracker [1].

Exploitation

Exploitation requires local access to the system, meaning an attacker must already have the ability to execute code on the target machine. No authentication is mentioned as a barrier, but the local nature implies the attacker needs some level of system access. The exploit has been publicly disclosed [1], which could lower the barrier for attackers who understand the specific input needed to trigger the fault.

Impact

Successful exploitation results in a segmentation fault, causing the affected MindSpore process to crash. This denial-of-service condition could disrupt machine learning workflows or applications relying on the library. While the vulnerability is classified as low severity due to local access requirements and limited impact (crash rather than code execution), it could be used in conjunction with other vulnerabilities to cause further disruption.

Mitigation

As of the publication date (2025-04-03), no patch has been mentioned in the available references. Users of MindSpore 2.5.0 are advised to avoid using the vulnerable rfft2 function with untrusted inputs. The issue has been reported and tracked, so users should monitor the MindSpore project for future security updates. No workarounds other than input validation or version rollback have been suggested.