CVE-2024-12254

CVE-2024-12254

Name

CVE-2024-12254

Description

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
patch	https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82
patch	https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5
issue-tracking	https://github.com/python/cpython/issues/127655
patch	https://github.com/python/cpython/pull/127656
vendor-advisory	https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/12/06/1
patch	https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250404-0010/

Type

URI

patch

https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82

patch

https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5

issue-tracking

https://github.com/python/cpython/issues/127655

patch

https://github.com/python/cpython/pull/127656

vendor-advisory

https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2024/12/06/1

patch

https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250404-0010/

Source package	Min version	Max version
cpython	>= 3.12.0	< 3.12.9
cpython	>= 3.13.0	< 3.13.2
cpython	>= 3.14.0a1	< 3.14.0a3

CPE URI

Source package

Min version

Max version

cpython

>= 3.12.0

< 3.12.9

cpython

>= 3.13.0

< 3.13.2

cpython

>= 3.14.0a1

< 3.14.0a3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
python3	edge-main	3.12.8-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
python3	3.21-main	3.12.8-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
python3	3.20-main	3.12.8-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

python3

edge-main

3.12.8-r1

Natanael Copa <ncopa@alpinelinux.org>

fixed

python3

3.21-main