8.8

CVE-2026-3298

Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes

The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
Produkt CPython
Default Statusunaffected
Version 3.11.0
Version < 3.13.14
Status affected
Version 3.14.0a1
Version < 3.14.5rc1
Status affected
Version 3.15.0a1
Version < 3.15.0b1
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.29
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@python.org 8.8 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/python/cpython/pull/148809
https://github.com/python/cpython/issues/148808
https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/
https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d
https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2
https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741