CVE-2026-3298

Summary

The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython3.11.0 < 3.13.14affected
Python Software FoundationCPython3.14.0a1 < 3.14.5rc1affected
Python Software FoundationCPython3.15.0a1 < 3.15.0b1affected

Weaknesses

  • CWE-787: CWE-787 Out-of-bounds write

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References