Out-of-bounds Write Vulnerability in Python's Asyncio Module on Windows
CVE-2026-3298

8.8HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
21 April 2026

What is CVE-2026-3298?

The asyncio module's method 'sock_recvfrom_into()' for Windows lacks necessary boundary checks for the data buffer when using the nbytes parameter. This flaw could lead to an out-of-bounds buffer write, potentially compromising system integrity. It is important to note that this issue is not present on non-Windows platforms. Users are encouraged to apply the latest patches to mitigate security risks.

Affected Version(s)

CPython 3.11.0 < 3.15.0

References

https://github.com/python/cpython/pull/148809
patch
https://github.com/python/cpython/issues/148808
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

GGAutomaton (https://github.com/GGAutomaton)
Victor Stinner (https://github.com/vstinner)
Seth Larson (https://github.com/sethmlarson)
.