{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12254", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-12-05T16:17:55.154Z", "datePublished": "2024-12-06T15:19:41.576Z", "dateUpdated": "2025-04-04T23:03:00.653Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["asyncio"], "platforms": ["MacOS", "Linux"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "3.12.0", "lessThan": "3.12.9", "status": "affected", "versionType": "python"}, {"version": "3.13.0", "lessThan": "3.13.2", "status": "affected", "versionType": "python"}, {"version": "3.14.0a1", "lessThan": "3.14.0a3", "status": "affected", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "J. Nick Koston"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.<br></div><div><br></div><div>This\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected.</div><br>"}], "value": "Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.\n\n\n\n\n\nThis\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-02-04T20:38:34.082Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/127655"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/127656"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786"}], "source": {"discovery": "UNKNOWN"}, "title": "Unbounded memory buffering in SelectorSocketTransport.writelines()", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "affected": [{"vendor": "python_software_foundation", "product": "cpython", "cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.12.0", "status": "affected", "lessThan": "3.14.0a1", "versionType": "python"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-12-06T15:35:11.234951Z", "id": "CVE-2024-12254", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T16:54:28.955Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/12/06/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250404-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-04T23:03:00.653Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/12/06/1"}, {"url": "https://security.netapp.com/advisory/ntap-20250404-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-04T23:03:00.653Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-12254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-06T15:35:11.234951Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*"], "vendor": "python_software_foundation", "product": "cpython", "versions": [{"status": "affected", "version": "3.12.0", "lessThan": "3.14.0a1", "versionType": "python"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-06T15:37:21.821Z"}}], "cna": {"title": "Unbounded memory buffering in SelectorSocketTransport.writelines()", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "J. Nick Koston"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["asyncio"], "product": "CPython", "versions": [{"status": "affected", "version": "3.12.0", "lessThan": "3.12.9", "versionType": "python"}, {"status": "affected", "version": "3.13.0", "lessThan": "3.13.2", "versionType": "python"}, {"status": "affected", "version": "3.14.0a1", "lessThan": "3.14.0a3", "versionType": "python"}], "platforms": ["MacOS", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/issues/127655", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/pull/127656", "tags": ["patch"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.\n\n\n\n\n\nThis\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected.", "supportingMedia": [{"type": "text/html", "value": "<div>Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.<br></div><div><br></div><div>This\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected.</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-02-04T20:38:34.082Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12254", "state": "PUBLISHED", "dateUpdated": "2025-04-04T23:03:00.653Z", "dateReserved": "2024-12-05T16:17:55.154Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-12-06T15:19:41.576Z", "assignerShortName": "PSF"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\n method would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\n buffer potentially leading to memory exhaustion.\n\n\n\n\n\nThis\n vulnerability likely impacts a small number of users, you must be using\n Python 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected."}, {"lang": "es", "value": "Starting de Python 3.12.0, el m\u00e9todo asyncio._SelectorSocketTransport.writelines() no \"pausaba\" la escritura ni enviaba se\u00f1ales al protocolo para que vaciara el b\u00fafer hacia el cable una vez que el b\u00fafer de escritura alcanzaba el \"l\u00edmite superior\". Debido a esto, los protocolos no vaciaban peri\u00f3dicamente el b\u00fafer de escritura, lo que podr\u00eda provocar el agotamiento de la memoria. Es probable que esta vulnerabilidad afecte a una peque\u00f1a cantidad de usuarios. Debes usar Python 3.12.0 o posterior, en macOS o Linux, usar el m\u00f3dulo asyncio con protocolos y usar el m\u00e9todo .writelines(), que ten\u00eda un nuevo comportamiento de copia cero al escribir en Python 3.12.0 y posterior. Si no se cumplen todos estos factores, tu uso de Python no se ve afectado."}], "id": "CVE-2024-12254", "lastModified": "2025-04-04T23:15:39.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2024-12-06T16:15:20.623", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/127655"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/127656"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/12/06/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250404-0010/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "cna@python.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10980", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python3.12-0:3.12.8-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10978", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.12-0:3.12.5-2.el9_5.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:11035", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "python3.12-0:3.12.1-4.el9_4.5", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-12-13T00:00:00Z"}], "bugzilla": {"description": "python: Unbounded memory buffering in SelectorSocketTransport.writelines()", "id": "2330804", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330804"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "(CWE-400|CWE-770)", "details": ["Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()\nmethod would not \"pause\" writing and signal to the Protocol to drain \nthe buffer to the wire once the write buffer reached the \"high-water \nmark\". Because of this, Protocols would not periodically drain the write\nbuffer potentially leading to memory exhaustion.\nThis\nvulnerability likely impacts a small number of users, you must be using\nPython 3.12.0 or later, on macOS or Linux, using the asyncio module \nwith protocols, and using .writelines() method which had new \nzero-copy-on-write behavior in Python 3.12.0 and later. If not all of \nthese factors are true then your usage of Python is unaffected.", "A flaw was found in Python. In certain configurations, the `asyncio._SelectorSocketTransport.writelines()` method fails to signal the protocol to clear the write buffer when it approaches capacity. Because of this, protocols would not periodically drain the write buffer, potentially leading to a denial of service via memory exhaustion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-12254", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-amd-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-azure-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Not affected", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-12-06T15:19:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12254\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12254\nhttps://github.com/python/cpython/issues/127655\nhttps://github.com/python/cpython/pull/127656\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/"], "statement": "This vulnerability likely impacts a small number of users. You must be using Python 3.12.0 or later, on Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true, then your usage of Python is unaffected.\nThis vulnerability is rated with an Important severity due to its potential for denial of service (DoS) attacks through memory exhaustion. By failing to signal the protocol to drain the write buffer when approaching the high-water mark, the affected `asyncio._SelectorSocketTransport.writelines()` method introduces a important flaw in flow control. This flaw can lead to uncontrolled growth of the buffer in long-running or high-throughput applications, which are typical in networked systems or event-driven architectures. Given that `asyncio` is widely used in performance-critical Python applications for handling asynchronous I/O, the impact of memory exhaustion could destabilize services, compromise system availability, and increase the risk of cascading failures, especially in production environments handling large-scale or untrusted inputs.", "threat_severity": "Important"}