AVID-2026-R0918

Description

Vulnerability CVE-2021-41495

Details

Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. NOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place

Reason for inclusion in AVID: CVE-2021-41495 describes a null pointer dereference in NumPy’s sort routine due to missing return-value validation, enabling DoS via memory exhaustion. NumPy is a fundamental dependency in AI software stacks (arrays, data preprocessing, numerics), so this is an AI-related vulnerability in software used to build/train/deploy general-purpose AI systems. It is a software supply-chain issue (dependency risk) rather than hardware/firmware. The report provides a CVE and references (NVD, NumPy issue, Oracle CPU advisory) sufficient to establish the vulnerability and its impact.

References

• NVD entry
• https://github.com/numpy/numpy/issues/19038
• https://www.oracle.com/security-alerts/cpujul2022.html

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-12-17
• Version: 0.3.3
• AVID Entry