CVE-2023-52307: 
Python vulnerability analysis and mitigation

A stack overflow vulnerability was identified in PaddlePaddle's paddle.linalg.lu_unpack function, affecting versions before 2.6.0. The vulnerability was assigned CVE-2023-52307 and was discovered by Tong Liu of CAS-IIE. The issue was disclosed on January 3, 2024 (NVD, Vendor Advisory).

The vulnerability occurs when invalid shapes cause a stack buffer overflow in the paddle.linalg.lu_unpack function. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by NIST NVD, while Baidu assessed it with a score of 8.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L). The vulnerability is classified as CWE-787 (Out-of-bounds Write) by NIST and CWE-120 (Buffer Copy without Checking Size of Input) by Baidu (NVD).

This vulnerability can lead to a denial of service condition, or potentially cause more severe damage to the affected system. The high CVSS scores indicate critical severity with potential for complete system compromise (NVD).

The vulnerability has been patched in commit 10093636a10f29f73f13729b33570d8cafd58fb6 and is included in PaddlePaddle version 2.6.0. Users are advised to upgrade to this version or later to mitigate the vulnerability (Vendor Advisory).