Memory Exhaustion Risk in Python's asyncio Module on macOS and Linux
CVE-2024-12254

8.7HIGH

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
6 December 2024

Badges

📈 Score: 397👾 Exploit Exists📰 News Worthy

What is CVE-2024-12254?

CVE-2024-12254 is a vulnerability in the asyncio module of Python, specifically affecting versions 3.12.0 and later on macOS and Linux operating systems. The asyncio module is used for writing concurrent code using the async/await syntax, allowing for efficient handling of asynchronous I/O operations. This vulnerability can lead to memory exhaustion, as the writelines() method fails to appropriately manage buffer drainage when the write buffer reaches a critical threshold. Organizations utilizing affected Python versions and functionalities may experience severe performance degradation or outages due to unexpected memory consumption, potentially impacting critical applications and services.

Technical Details

The root of the problem lies in the asyncio._SelectorSocketTransport.writelines() method, which, starting with Python version 3.12.0, does not trigger the necessary protocol communication to drain the write buffer once it hits the established high-water mark. This oversight allows the buffer to fill continuously without being emptied, leading to excessive memory usage. The issue is contingent upon the use of the asyncio module with protocols while utilizing the writelines() method, highlighting a specific risk for developers who have adopted this new implementation in Python.

Potential Impact of CVE-2024-12254

  1. Memory Exhaustion: The primary concern associated with this vulnerability is the risk of memory exhaustion. In applications where high volumes of data are written to sockets, the lack of buffer management can lead to situations where a system runs out of available memory, causing application crashes or severely degraded performance.

  2. Service Disruptions: Affected applications may face unexpected service disruptions, especially in environments that heavily rely on asynchronous operations. This can lead to downtime or degraded user experience, impacting business operations and potentially resulting in financial loss.

  3. Limited User Exposure: While the vulnerability has specific requirements for exploitation, it still poses a notable risk for the subset of users operating under the affected conditions. This could lead to a false sense of security among developers who may not be fully aware of the potential implications in their asynchronous I/O implementations using newer versions of Python.

Affected Version(s)

CPython MacOS 3.12.0 < 3.12.9

CPython MacOS 3.13.0 < 3.13.2

CPython MacOS 3.14.0a1 < 3.14.0a3

News Articles

favicon imageCybersecurityNews

Critical Vulnerability in Python Affected MacOS or Linux Leads to Exploiting The Memory

A high-severity vulnerability (CVE-2024-12254) impacting CPython has been publicly disclosed, affecting Python versions 3.12.0 and later.

References

https://github.com/python/cpython/issues/127655
issue-tracking
https://github.com/python/cpython/pull/127656
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

Credit

J. Nick Koston
Seth Larson
.
CVE-2024-12254 : Memory Exhaustion Risk in Python's asyncio Module on macOS and Linux | SecurityVulnerability.io