CVE-2024-12254

Summary

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion.

This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython3.12.0 < 3.12.9affected
Python Software FoundationCPython3.13.0 < 3.13.2affected
Python Software FoundationCPython3.14.0a1 < 3.14.0a3affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption
  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References