#1138589 Library Search Path Hijacking via Empty RPATH Entries in libarrow.so.500

Package:
libarrow500
Source:
libarrow500
Submitter:
Jonathan Trowbridge
Date:
2026-05-31 21:33:02 UTC
Severity:
normal
Tags:
#1138589#5
Date:
2026-05-31 21:30:24 UTC
From:
To:
*Summary:*

The libarrow500 Debian package installs the shared library:

/usr/lib/aarch64-linux-gnu/libarrow.so.500

This library contains an RPATH consisting entirely of empty path elements:

RPATH [:::::::]

Empty entries in an ELF RPATH are interpreted by the dynamic linker as the
current working directory (CWD). As a result, when libarrow.so.500 resolves
its dependencies, the dynamic linker searches the process working directory
before falling back to the system library paths.

This permits library search path hijacking if an attacker can place a
malicious shared library in a directory from which a victim executes
software that loads libarrow.so.500.

*Impact:*

An attacker can cause execution of attacker-controlled code in the security
context of the user running the affected application.

Applications that directly or indirectly load libarrow.so.500 may resolve
dependencies from the current working directory due to the malformed RPATH.
If a victim executes such software from a directory containing
attacker-controlled shared libraries, the malicious library may be loaded
and executed before the legitimate system library.

This is a CWE-426 / CWE-427 class issue (Untrusted Search Path).

*Proof of Concept:*

*Verify the malformed RPATH:*

$ readelf -d /usr/lib/aarch64-linux-gnu/libarrow.so.500 | grep RPATH

Output:

0x000000000000000f (RPATH) Library rpath: [:::::::]

*Create an attacker-controlled replacement library:*

$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace
$ cat << EOF > poc_arrow.c
#include <stdio.h>
#include <stdlib.h>