We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-12254

Unbounded memory buffering in SelectorSocketTransport.writelines()



Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Reserved 2024-12-05 | Published 2024-12-06 | Updated 2025-01-06 | Assigner PSF


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-400 Uncontrolled Resource Consumption

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

3.12.0 before 3.14.0a2
affected

Credits

J. Nick Koston reporter

Seth Larson coordinator

References

github.com/python/cpython/issues/127655 issue-tracking

github.com/python/cpython/pull/127656 patch

mail.python.org/.../thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/ vendor-advisory

github.com/...ommit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82 patch

github.com/...ommit/9aa0deb2eef2655a1029ba228527b152353135b5 patch

cve.org (CVE-2024-12254)

nvd.nist.gov (CVE-2024-12254)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-12254

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.