Описание
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.
This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.
A flaw was found in Python. In certain configurations, the asyncio._SelectorSocketTransport.writelines() method fails to signal the protocol to clear the write buffer when it approaches capacity. Because of this, protocols would not periodically drain the write buffer, potentially leading to a denial of service via memory exhaustion.
Отчет
This vulnerability likely impacts a small number of users. You must be using Python 3.12.0 or later, on Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true, then your usage of Python is unaffected.
This vulnerability is rated with an Important severity due to its potential for denial of service (DoS) attacks through memory exhaustion. By failing to signal the protocol to drain the write buffer when approaching the high-water mark, the affected asyncio._SelectorSocketTransport.writelines() method introduces a important flaw in flow control. This flaw can lead to uncontrolled growth of the buffer in long-running or high-throughput applications, which are typical in networked systems or event-driven architectures. Given that asyncio is widely used in performance-critical Python applications for handling asynchronous I/O, the impact of memory exhaustion could destabilize services, compromise system availability, and increase the risk of cascading failures, especially in production environments handling large-scale or untrusted inputs.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python | Not affected | ||
| Red Hat Enterprise Linux 7 | python | Not affected | ||
| Red Hat Enterprise Linux 7 | python3 | Not affected | ||
| Red Hat Enterprise Linux 8 | gimp:flatpak/python2 | Not affected | ||
| Red Hat Enterprise Linux 8 | python3 | Not affected | ||
| Red Hat Enterprise Linux 8 | python3.11 | Not affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected | ||
| Red Hat Enterprise Linux 8 | python39:3.9/python39 | Not affected | ||
| Red Hat Enterprise Linux 8 | python39-devel:3.9/python39 | Not affected | ||
| Red Hat Enterprise Linux 9 | python3.11 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writel ...
EPSS
7.5 High
CVSS3