U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-12254

Change History

New CVE Received from Python Software Foundation 12/06/2024 11:15:20 AM

Action Type Old Value New Value
Added Description 

								
							
							
								
							
						
								
							
								
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
 method would not "pause" writing and signal to the Protocol to drain 
the buffer to the wire once the write buffer reached the "high-water 
mark". Because of this, Protocols would not periodically drain the write
 buffer potentially leading to memory exhaustion.





This
 vulnerability likely impacts a small number of users, you must be using
 Python 3.12.0 or later, on macOS or Linux, using the asyncio module 
with protocols, and using .writelines() method which had new 
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of 
these factors are true then your usage of Python is unaffected.

								
								
					

					

						Added
						CVSS V4.0
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

								
								
					

					

						Added
						CWE
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
CWE-400

								
								
					

					

						Added
						CWE
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
CWE-770

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/python/cpython/issues/127655

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://github.com/python/cpython/pull/127656

								
								
					

					

						Added
						Reference
						
							
							
								
							
								

								
							
							
								
							
						
								
							
								
https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/