CVE-2026-25087 is a Use After Free vulnerability identified in the Apache Arrow C++ library affecting versions 15.0.0 through 23.0.0. The vulnerability arises when reading Arrow IPC files (not IPC streams) with the pre-buffering feature enabled via the `RecordBatchFileReader::PreBufferMetadata` API. This feature is disabled by default and not exposed in language bindings such as Python, Ruby, or C GLib, limiting the attack surface to native C++ applications that explicitly enable pre-buffering. The issue occurs due to improper handling of variadic buffers (e.g., Binary View and String View data) within record batch columns during multi-threaded IO operations. Specifically, a write operation may target a dangling pointer referencing a `std::shared_ptr<Buffer>` object, leading to memory corruption or application crashes. The value written is not attacker-controlled, reducing the likelihood of arbitrary code execution or data exfiltration. However, if an application processes IPC files from untrusted sources with pre-buffering enabled, an attacker could craft malicious IPC files to trigger denial of service through crashes or memory corruption. The vulnerability depends on complex timing and memory allocation patterns, making exploitation for more severe impacts difficult. The recommended remediation is to either disable pre-buffering or upgrade to Apache Arrow version 23.0.1, where the vulnerability has been fixed.

For European organizations utilizing Apache Arrow C++ in data processing pipelines, especially those handling IPC files with pre-buffering enabled, this vulnerability poses a risk of denial of service through application crashes or memory corruption. Industries relying on high-performance analytics, financial services, telecommunications, and research institutions that process large datasets with Arrow IPC files could experience service disruptions. Although the risk of data leakage or remote code execution is low, the instability caused by this vulnerability could impact availability and reliability of critical data processing systems. Organizations ingesting IPC files from untrusted or external sources are particularly vulnerable. Given that the vulnerability requires explicit enabling of pre-buffering and use of the C++ API, the attack surface is somewhat limited but still relevant for native C++ applications in production environments.

European organizations should audit their use of Apache Arrow C++ to determine if pre-buffering is enabled via `RecordBatchFileReader::PreBufferMetadata`. If enabled, they should consider disabling pre-buffering to eliminate the vulnerability, understanding that this may impact performance. Alternatively, upgrading to Apache Arrow version 23.0.1 or later, where the vulnerability is patched, is strongly recommended. Additionally, organizations should implement strict validation and sanitization of IPC files ingested from untrusted sources to reduce the risk of malicious input. Employing runtime memory protection tools such as AddressSanitizer during development and testing can help detect use-after-free issues early. Monitoring application logs for crashes or memory errors related to IPC file processing can aid in early detection of exploitation attempts. Finally, restricting access to IPC file ingestion interfaces and applying network segmentation can limit exposure.