Security readout for executives and security teams
Older NumPy versions loaded Python pickle data through numpy.load in a way that could run attacker-controlled code if an application opened a malicious serialized object. Business risk depends on whether systems process NumPy files from untrusted users, partners, pipelines, or storage. The CVE is disputed because this behavior can be legitimate for trusted object arrays. Exposure is most likely in Python services, notebooks, batch jobs, ML pipelines, or data-processing tools using NumPy before 1.16.3 and loading serialized arrays from untrusted or weakly authenticated sources. Prioritize remediation for internet-facing upload features, shared data platforms, and ML pipelines consuming third-party files. Lower urgency may be reasonable for isolated systems that only load trusted internal artifacts, but the trust boundary should be verified rather than assumed. Mitigation focus: Upgrade NumPy to 1.16.3 or later where vendor guidance supports it.; Do not load NumPy pickle/object data from untrusted sources.; Require authentication and provenance checks for serialized data inputs..
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2019-6446 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://bugzilla.suse.com/show_bug.cgi?id=1122208CVE reference
- https://github.com/numpy/numpy/issues/12759CVE reference
- FEDORA-2019-1dfe95a864CVE reference · vendor-advisory
- RHSA-2019:3335CVE reference · vendor-advisory
- RHSA-2019:3704CVE reference · vendor-advisory
- https://github.com/numpy/numpy/pull/13359CVE reference
- https://github.com/numpy/numpy/pull/12889CVE reference
- https://github.com/numpy/numpy/commit/89b688732b37616c9d26623f81aaee1703c30ffbCVE reference
- FEDORA-2019-1dfe95a864CVE reference · vendor-advisory, x_refsource_FEDORA
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
