CVE-2024-3219

Name of the Vulnerable Software and Affected Versions CPython versions 3.5 through latest

Description The issue arises from the "socket" module's pure-Python fallback for the socket.socketpair() function on platforms that don't support AF UNIX, such as Windows. This implementation uses AF INET or AF INET6 to create a local connected pair of sockets. However, the connection between the two sockets is not verified before being passed back to the user, leaving the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF UNIX, like Linux and macOS, are not affected.

Recommendations For CPython versions 3.5 and later, consider disabling the socket.socketpair() function until a patch is available to prevent potential exploitation. Restrict access to the "socket" module to minimize the risk of a connection race from a malicious local peer. Avoid using the AF INET or AF INET6 protocols in the socket.socketpair() function on Windows platforms until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.