Apache Arrow 23.0.1 Release
Published
16 Feb 2026
By
The Apache Arrow PMC (pmc)
The Apache Arrow team is pleased to announce the 23.0.1 release. It includes a security fix for the C++ IPC file reader, so be sure to read the relevant details below to see if you are affected.
Apart from that, 23.0.1 is mostly a bugfix release that includes 28 resolved issues on 29 distinct commits from 12 distinct contributors.
See the Install Page to learn how to get the libraries for your platform.
The release notes below are not exhaustive and only expose selected highlights of the release. Many other bugfixes and improvements have been made: we refer you to the complete changelog.
C++ notes
- Fix possible OOB write in buffered IO (GH-48311).
IPC
CVE-2026-25087: Use After Free vulnerability in IPC file reader
Fix a security issue can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data).
Pre-buffering is disabled by default, so your code is vulnerable only if it
enables it explicitly by calling RecordBatchFileReader::PreBufferMetadata.
Affected Arrow C++ versions are 15.0.0 through 23.0.0. The fix integrated
in 23.0.1 can also be separately viewed at
GH-48925.
See our separate announcement for further detail.
Other fixes
- Avoid memory blowup with excessive variadic buffer count in IPC (GH-48900).
Gandiva
Parquet
- Avoid re-serializing footer for signature verification (GH-48858).
Python notes
- Added missing NOTICE.txt and LICENSE.txt to wheels (GH-48983).
- Some fixes for compatibility with newer Cython versions like (GH-48965), (GH-49156) and (GH-49138).
Ruby notes
- Fix a bug where
Arrow::ExecutePlannodes may be Garbage Collected (GH-48880).
R notes
- Bump C++20 for R build infrastructure (GH-48817) and fix some C++ 20 related compilation issues (GH-48973).
Other modules and languages
No general changes were made to the other libraries or languages.