CVE-2019-6446

CRITICAL

NumPy < 1.16.3 - Remote Code Execution via Unsafe Pickle Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6446. PoCs published by RayScri.

AI-analyzed exploit summary This PoC demonstrates a deserialization vulnerability in NumPy (CVE-2019-6446) by crafting a malicious pickle file that executes arbitrary commands (e.g., 'whoami') when loaded via `numpy.ma.core.load()`. The exploit leverages Python's `pickle` module and the `__reduce__` method to achieve RCE.

Description

An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.

Exploits (1)

nomisec WORKING POC 3 stars

by RayScri · poc

https://github.com/RayScri/CVE-2019-6446

View Code ZIP pw:eip

This PoC demonstrates a deserialization vulnerability in NumPy (CVE-2019-6446) by crafting a malicious pickle file that executes arbitrary commands (e.g., 'whoami') when loaded via `numpy.ma.core.load()`. The exploit leverages Python's `pickle` module and the `__reduce__` method to achieve RCE.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: NumPy <= 1.16.3

No auth needed

Prerequisites: NumPy <= 1.16.3 installed · Ability to write a malicious pickle file to the target system

devstral-2 · analyzed Feb 16, 2026 Full analysis →