Use After Free Vulnerability in Apache Arrow C++ Software
CVE-2026-25087

7HIGH

Key Information:

Vendor: Apache
Status: Apache Arrow
Vendor: CVE Published:; 17 February 2026

What is CVE-2026-25087?

A Use After Free vulnerability exists in Apache Arrow C++ across versions 15.0.0 to 23.0.0. Triggered while reading IPC files with pre-buffering enabled, this issue arises when handling variadic buffers like Binary View and String View data. It allows for a potential write to a dangling pointer, potentially causing crashes or memory corruption. If applications mistakenly accept untrusted IPC files, this vulnerability could lead to denial of service attacks. To mitigate risks, users should assess their pre-buffering practices and consider upgrading to version 23.0.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Arrow 15.0.0 <= 23.0.0

Apache Arrow 23.0.1

References

https://github.com/apache/arrow/pull/48925

patch

https://lists.apache.org/thread/mpm4ld1qony30tchfpjtk5b11...

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 17, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

"emi" / "rootkid19"

JSON

Apache