Threat Advisory

Critical Python Vulnerability Allows Memory Exploitation on macOS/Linux Systems

Threat: Vulnerability
Criticality: High

EXECUTIVE SUMMARY:

A high-severity vulnerability CVE-2024-12254 affecting Python versions 3.12.0 and later has been disclosed, stemming from a flaw in the asyncio._SelectorSocketTransport.writelines() method. This issue prevents the write buffer from pausing and draining when reaching a high-water mark, potentially leading to unbounded memory usage and system memory exhaustion. The problem is specific to macOS and Linux systems actively using the asyncio module with writelines(), which introduces zero-copy-on-write behavior in Python 3.12.0.

 

  • CVE-2024-12254: A high-severity vulnerability in the asyncio._SelectorSocketTransport.writelines() method of Python versions 3.12.0 and later causes unbounded memory growth by failing to pause and drain the write buffer upon reaching the high-water mark. This issue, specific to macOS and Linux systems, arises from the zero-copy-on-write behavior introduced in Python 3.12.0, potentially leading to memory exhaustion. CVSS Score: 7.5

 

The vulnerability underscores the importance of secure file handling and thorough system protections.

RECOMMENDATION:

We strongly recommend you update Cpython to version 3.13 or latest version.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/python-vulnerability/

crossmenu