CVE-2023-52304: 
Python vulnerability analysis and mitigation

A stack overflow vulnerability was identified in the paddle.searchsorted function of PaddlePaddle versions before 2.6.0. The vulnerability was assigned CVE-2023-52304 and was discovered by Tong Liu of CAS-IIE. This security flaw was disclosed on January 3, 2024, affecting the PaddlePaddle machine learning framework (Vendor Advisory).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) and Buffer Copy without Checking Size of Input (CWE-120). It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Baidu assessed it with a score of 8.2 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L (NVD).

The vulnerability can lead to a denial of service condition or potentially more severe consequences when invalid shapes cause stack buffer overflow in the paddle.searchsorted function (NVD).

The vulnerability has been patched in PaddlePaddle version 2.6.0. The fix was implemented in commit 19da5c0c4d8c5e4dfef2a92e24141c3f51884dcc. Users are advised to upgrade to version 2.6.0 or later to address this security issue (Vendor Advisory).