Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
History

Sat, 14 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Thu, 12 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Sat, 07 Dec 2024 13:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Fri, 06 Dec 2024 19:45:00 +0000

Type Values Removed Values Added
References

Fri, 06 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Python Software Foundation
Python Software Foundation cpython
CPEs cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*
Vendors & Products Python Software Foundation
Python Software Foundation cpython
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 06 Dec 2024 15:30:00 +0000

Type Values Removed Values Added
Description Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Title Unbounded memory buffering in SelectorSocketTransport.writelines()
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2024-12-06T15:19:41.576Z

Updated: 2024-12-06T19:02:35.550Z

Reserved: 2024-12-05T16:17:55.154Z

Link: CVE-2024-12254

cve-icon Vulnrichment

Updated: 2024-12-06T19:02:35.550Z

cve-icon NVD

Status : Received

Published: 2024-12-06T16:15:20.623

Modified: 2024-12-06T19:15:10.983

Link: CVE-2024-12254

cve-icon Redhat

Severity : Important

Publid Date: 2024-12-06T15:19:41Z

Links: CVE-2024-12254 - Bugzilla