Apache Arrow 23.0.1 Release


Published 16 Feb 2026
By The Apache Arrow PMC (pmc)

The Apache Arrow team is pleased to announce the 23.0.1 release. It includes a security fix for the C++ IPC file reader, so be sure to read the relevant details below to see if you are affected.

Apart from that, 23.0.1 is mostly a bugfix release that includes 28 resolved issues on 29 distinct commits from 12 distinct contributors.

See the Install Page to learn how to get the libraries for your platform.

The release notes below are not exhaustive and only expose selected highlights of the release. Many other bugfixes and improvements have been made: we refer you to the complete changelog.

C++ notes

  • Fix possible OOB write in buffered IO (GH-48311).

IPC

CVE-2026-25087: Use After Free vulnerability in IPC file reader

Fix a security issue can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data).

Pre-buffering is disabled by default, so your code is vulnerable only if it enables it explicitly by calling RecordBatchFileReader::PreBufferMetadata. Affected Arrow C++ versions are 15.0.0 through 23.0.0. The fix integrated in 23.0.1 can also be separately viewed at GH-48925.

See our separate announcement for further detail.

Other fixes

  • Avoid memory blowup with excessive variadic buffer count in IPC (GH-48900).

Gandiva

  • Fix passing CPU attributes to LLVM (GH-48160).
  • Detect overflow in repeat() (GH-49159).

Parquet

  • Avoid re-serializing footer for signature verification (GH-48858).

Python notes

  • Added missing NOTICE.txt and LICENSE.txt to wheels (GH-48983).
  • Some fixes for compatibility with newer Cython versions like (GH-48965), (GH-49156) and (GH-49138).

Ruby notes

  • Fix a bug where Arrow::ExecutePlan nodes may be Garbage Collected (GH-48880).

R notes

  • Bump C++20 for R build infrastructure (GH-48817) and fix some C++ 20 related compilation issues (GH-48973).

Other modules and languages

No general changes were made to the other libraries or languages.