Critical Vulnerability in Python Affected MacOS or Linux Leads to Exploiting The Memory

A high severity vulnerability (CVE-2024-12254) affecting CPython has been publicly disclosed, affecting Python 3.12.0 and later.

the flaw was found in the asyncio module, specifically in the _SelectorSocketTransport.writelines() method, which could lead to memory exhaustion under certain conditions.

Overview of the Vulnerability

the vulnerability stems from improper handling of memory buffers in the writelines() method used in the asyncio module.

Normally, when the write buffer reaches a “high water mark”, the system pauses writes and signals the protocol to flush the buffer to avoid excessive memory usage.

However, in Python 3.12.0 and later, this mechanism fails to kick in, causing the write buffer to grow uncontrollably in certain scenarios.

the problem lies in the functionality of asyncio._SelectorSocketTransport.writelines() , which fails to pause writing and flush the buffer when the high water mark is reached.

This oversight could result in unbounded memory usage, which could lead to memory exhaustion. Given its impact, the severity of this issue is classified as High.

this vulnerability affects Python 3.12.0+ on macOS/Linux, where the asyncio protocol using .writelines() may not drain the write buffer, posing a risk of memory exhaustion due to the new zero-copy-on-write behavior introduced in Python 3.12.0.

The specific conditions required for this vulnerability to occur narrow its scope. It only affects users who meet all of the following conditions:

1. Python Version: Use Python 3.12.0 or higher.
2. operating System: Runs on macOS or Linux.
3. module usage: Actively use the asyncio module with protocols.
4. method usage: Relies on the .writelines() method, which introduced zero-copy-on-write behavior starting with Python 3.12.0.

If one or more of these conditions do not apply, your use of Python may not be affected.

The Python development team is actively working on resolving this issue. A fix has been proposed and is under review via the following pull request.

1. Patch as soon as possible: monitor the CVE list and Python’s official repositories for security updates.
2. Avoid affected versions: If possible, revert to an earlier version of Python (before 3.12.0) that is not affected by this issue.
3. limit usage of .writelines(): Until the issue is fixed, avoid or replace usage of the writelines() method in affected environments.