{"api_version":"1","generated_at":"2026-04-22T21:39:29+00:00","cve":"CVE-2021-41495","urls":{"html":"https://cve.report/CVE-2021-41495","api":"https://cve.report/api/cve/CVE-2021-41495.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41495","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41495"},"summary":{"title":"CVE-2021-41495","description":"** DISPUTED ** Null Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. NOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-12-17 20:15:00","updated_at":"2023-11-07 03:38:00"},"problem_types":["CWE-476"],"metrics":[],"references":[{"url":"https://github.com/numpy/numpy/issues/19038","name":"https://github.com/numpy/numpy/issues/19038","refsource":"MISC","tags":[],"title":"Missing return-value validation of the function PyArray_DescrNew · Issue #19038 · numpy/numpy · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41495","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41495","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41495","vulnerable":"1","versionEndIncluding":"1.19.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"numpy","cpe5":"numpy","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-41495","qid":"199066","title":"Ubuntu Security Notification for NumPy Vulnerabilities (USN-5763-1)"},{"cve":"CVE-2021-41495","qid":"20270","title":"Oracle Database 21c Critical Patch Update - October 2022"},{"cve":"CVE-2021-41495","qid":"240981","title":"Red Hat Update for OpenStack Platform 16.1.9 (RHSA-2022:8861)"},{"cve":"CVE-2021-41495","qid":"240994","title":"Red Hat Update for OpenStack Platform 16.2.4 (RHSA-2022:8852)"},{"cve":"CVE-2021-41495","qid":"296062","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)"},{"cve":"CVE-2021-41495","qid":"671463","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-1432)"},{"cve":"CVE-2021-41495","qid":"671464","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-1453)"},{"cve":"CVE-2021-41495","qid":"671624","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-1662)"},{"cve":"CVE-2021-41495","qid":"671625","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-1648)"},{"cve":"CVE-2021-41495","qid":"671832","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-1906)"},{"cve":"CVE-2021-41495","qid":"672239","title":"EulerOS Security Update for numpy (EulerOS-SA-2022-2626)"},{"cve":"CVE-2021-41495","qid":"690879","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for py (b51cfaea-e919-11ec-9fba-080027240888)"},{"cve":"CVE-2021-41495","qid":"751958","title":"OpenSUSE Security Update for python2-numpy (openSUSE-SU-2022:1064-1)"},{"cve":"CVE-2021-41495","qid":"752368","title":"SUSE Enterprise Linux Security Update for python2-numpy (SUSE-SU-2022:2441-1)"},{"cve":"CVE-2021-41495","qid":"752423","title":"SUSE Enterprise Linux Security Update for python-numpy (SUSE-SU-2022:2646-1)"},{"cve":"CVE-2021-41495","qid":"752426","title":"SUSE Enterprise Linux Security Update for python-numpy (SUSE-SU-2022:2645-1)"},{"cve":"CVE-2021-41495","qid":"752580","title":"SUSE Enterprise Linux Security Update for python2-numpy (SUSE-SU-2022:1064-2)"},{"cve":"CVE-2021-41495","qid":"753409","title":"SUSE Enterprise Linux Security Update for python2-numpy (SUSE-SU-2022:1064-1)"},{"cve":"CVE-2021-41495","qid":"900383","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for numpy (7036)"},{"cve":"CVE-2021-41495","qid":"900973","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for numpy (7045-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-41495","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"** DISPUTED ** Null Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays. NOTE: While correct that validation is missing, an error can only occur due to an exhaustion of memory. If the user can exhaust memory, they are already privileged. Further, it should be practically impossible to construct an attack which can target the memory exhaustion to occur at exactly this place."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/numpy/numpy/issues/19038","refsource":"MISC","name":"https://github.com/numpy/numpy/issues/19038"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html"}]}},"nvd":{"publishedDate":"2021-12-17 20:15:00","lastModifiedDate":"2023-11-07 03:38:00","problem_types":["CWE-476"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.6,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:numpy:numpy:*:*:*:*:*:*:*:*","versionEndIncluding":"1.19.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41495","Ordinal":"217285","Title":"CVE-2021-41495","CVE":"CVE-2021-41495","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41495","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}