CVE-2024-12254

EUVD-2024-50718

06.12.2024, 16:15

Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.

This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
PSF	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
python_software_foundation	cpython	3.12.0 ≤ 𝑥 < 3.14.0a1	ADP
python	cpython	3.12.0 ≤ 𝑥 < 3.12.9	CNA
python	cpython	3.13.0 ≤ 𝑥 < 3.13.2	CNA

Debian Releases

Debian Product

Codename

python3.11

bookworm	3.11.2-6+deb12u6 fixed
bookworm (security)	3.11.2-6+deb12u3 fixed

python3.13

forky	3.13.11-1 fixed
sid	3.13.11-1 fixed
trixie	3.13.5-2 fixed

python3.9

bullseye	3.9.2-1 fixed
bullseye (security)	3.9.2-1+deb11u3 fixed

Ubuntu Releases

Ubuntu Product

Codename

python3.11

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

python3.12

bionic	dne
focal	dne
jammy	dne
noble	Fixed 3.12.3-1ubuntu0.4 released
oracular	Fixed 3.12.7-1ubuntu1.1 released
plucky	dne
questing	dne
trusty	dne
xenial	dne

python3.13

bionic	dne
focal	dne
jammy	dne
noble	dne
oracular	ignored
plucky	not-affected
questing	not-affected
trusty	dne
xenial	dne

python3.9

bionic	dne
focal	not-affected
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

python2.7

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	not-affected
xenial	not-affected

python3.4

bionic	dne
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	not-affected
xenial	dne

python3.5

bionic	dne
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	not-affected
xenial	not-affected

python3.6

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

python3.7

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

python3.8

bionic	not-affected
focal	not-affected
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

python3.10

bionic	dne
focal	dne
jammy	not-affected
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	dne
xenial	dne

openSUSE / SLES Releases

openSUSE Product

Release

libpython3_12-1_0

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

libpython3_13-1_0

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python312

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-base

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-curses

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-dbm

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-devel

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-idle

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-tk

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python312-tools

suse enterprise desktop 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise sap 15 SP6	3.12.9-150600.3.18.1 fixed
suse enterprise server 15 SP6	3.12.9-150600.3.18.1 fixed

python313

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-base

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-curses

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-dbm

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-devel

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-idle

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-tk

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

python313-tools

suse enterprise desktop 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise sap 15 SP7	3.13.5-150700.4.11.1 fixed
suse enterprise server 15 SP7	3.13.5-150700.4.11.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

python3.12

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-debug

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-devel

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-idle

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-libs

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-rpm-macros

RHEL 8

0:3.12.8-1.el8_10

fixed

python3.12-test

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

python3.12-tkinter

RHEL 8	0:3.12.8-1.el8_10 fixed
RHEL 9	0:3.12.5-2.el9_5.2 fixed

Common Weakness Enumeration

References

https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82

https://github.com/python/cpython/commit/9aa0deb2eef2655a1029ba228527b152353135b5

https://github.com/python/cpython/commit/e991ac8f2037d78140e417cc9a9486223eb3e786

https://github.com/python/cpython/issues/127655

https://github.com/python/cpython/pull/127656

https://mail.python.org/archives/list/security-announce@python.org/thread/H4O3UBAOAQQXGT4RE3E4XQYR5XLROORB/

http://www.openwall.com/lists/oss-security/2024/12/06/1

https://security.netapp.com/advisory/ntap-20250404-0010/