Skip to main content

CVE-2023-38678: CWE-125 Out-of-bounds Read in PaddlePaddle PaddlePaddle

Medium
VulnerabilityCVE-2023-38678cvecve-2023-38678cwe-125
Published: Wed Jan 03 2024 (01/03/2024, 08:11:55 UTC)
Source: CVE Database V5
Vendor/Project: PaddlePaddle
Product: PaddlePaddle

Description

OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

AI-Powered Analysis

AILast updated: 07/04/2025, 03:57:31 UTC

Technical Analysis

CVE-2023-38678 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) affecting PaddlePaddle, an open-source deep learning platform developed by Baidu. The flaw exists in the paddle.mode component in versions prior to 2.6.0. Specifically, an out-of-bounds read occurs when the software attempts to access memory outside the allocated buffer boundaries. This can lead to a runtime crash, resulting in a denial of service (DoS) condition. The vulnerability does not impact confidentiality or integrity directly but affects availability by causing the affected application or service to terminate unexpectedly. The CVSS 3.1 base score is 4.7, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches are linked yet, though the issue was publicly disclosed on January 3, 2024. This vulnerability is particularly relevant for organizations using PaddlePaddle in production or research environments, as unexpected crashes can disrupt AI model training or inference workflows.

Potential Impact

For European organizations leveraging PaddlePaddle for AI development, research, or production, this vulnerability poses a risk of service disruption due to denial of service. AI workloads are often critical for data analysis, automation, and decision-making processes; thus, unexpected crashes can lead to operational downtime, loss of productivity, and potential delays in delivering AI-driven services. While the vulnerability does not allow data leakage or unauthorized code execution, the availability impact can be significant in environments where continuous AI processing is essential, such as financial institutions, healthcare providers, and manufacturing sectors. Additionally, organizations relying on cloud-based AI services that incorporate PaddlePaddle may experience cascading effects if the underlying platform crashes. The requirement for user interaction to trigger the vulnerability somewhat limits remote exploitation but does not eliminate risk, especially in environments where users or automated systems interact with vulnerable components.

Mitigation Recommendations

European organizations should prioritize upgrading PaddlePaddle to version 2.6.0 or later, where this vulnerability is addressed. Until an official patch is available, organizations should implement strict input validation and sanitization to minimize the risk of triggering out-of-bounds reads. Monitoring and logging should be enhanced to detect abnormal crashes or service interruptions related to paddle.mode usage. Deploying PaddlePaddle within isolated or sandboxed environments can limit the impact of potential crashes on broader systems. Additionally, organizations should educate users and developers about the risk of triggering this vulnerability through specific interactions and restrict access to PaddlePaddle interfaces to trusted personnel only. Regularly reviewing and applying security advisories from Baidu and the PaddlePaddle community is essential to stay updated on patches and mitigations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Baidu
Date Reserved
2023-07-24T07:55:02.092Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f0dc2182aa0cae27ff37c

Added to database: 6/3/2025, 2:59:14 PM

Last enriched: 7/4/2025, 3:57:31 AM

Last updated: 7/30/2025, 7:34:39 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats