CVE-2024-12254

Public on 2024-12-06
Modified on 2024-12-17
Description
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.





This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Core python Not Affected
HAQM Linux 1 python26 Not Affected
HAQM Linux 1 python27 Not Affected
HAQM Linux 2 - Core python3 Not Affected
HAQM Linux 2023 python3.11 Not Affected
HAQM Linux 2023 python3.12 2025-01-21 ALAS2023-2025-808 Fixed
HAQM Linux 2023 python3.9 Not Affected
HAQM Linux 1 python34 Not Affected
HAQM Linux 1 python35 Not Affected
HAQM Linux 1 python36 Not Affected
HAQM Linux 1 python38 Not Affected

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2024-12254 Mitre: CVE-2024-12254