PT-2024-10121 · Python+8 · Python+8

Seth Larson

·

Published

2024-12-06

·

Updated

2026-05-18

·

CVE-2024-12254

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Python versions 3.12.0 through 3.12.x Python versions prior to 3.14.0a2
Description The issue is related to the asyncio. SelectorSocketTransport.writelines() method, which does not properly "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reaches the "high-water mark". This can lead to memory exhaustion, as Protocols do not periodically drain the write buffer. The issue likely impacts a small number of users who are using Python 3.12.0 or later on macOS or Linux, with the asyncio module and protocols, and using the .writelines() method.
Recommendations Python versions 3.12.0 through 3.12.x: Update to version 3.14.0a2 to resolve the issue. Python versions prior to 3.14.0a2: Update to version 3.14.0a2 to stay protected.

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALSA-2024:10978
ALSA-2024:10980
AZL-54042
BDU:2025-00345
BIT-LIBPYTHON-2024-12254
BIT-PYTHON-2024-12254
BIT-PYTHON-MIN-2024-12254
CESA-2024_10980
CLEANSTART-2026-CI66802
CLEANSTART-2026-KM27583
CLEANSTART-2026-SP91806
CVE-2024-12254
INFSA-2024_10978
INFSA-2024_10980
OPENSUSE-SU-2024:14581-1
OPENSUSE-SU-2024_4291-1
OPENSUSE-SU-2025:14691-1
OPENSUSE-SU-2025:14998-1
OPENSUSE-SU-2025_0521-1
PSF-2024-14
RHSA-2024:10978
RHSA-2024:10980
RHSA-2024:11035
RHSA-2024_10978
RHSA-2024_10980
RLSA-2024:10978
RLSA-2024:10980
SUSE-SU-2024:4291-1
SUSE-SU-2025:02074-1
SUSE-SU-2025:0521-1
USN-7219-1

Affected Products

Almalinux
Centos
Linuxmint
Python
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu