CVE-2024-5642

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Name of the Vulnerable Software and Affected Versions CPython versions 3.9 and earlier

Description The issue arises from configuring an empty list for SSLContext.set npn protocols(), which is an invalid value for the underlying OpenSSL API, resulting in a buffer over-read when NPN is used. This is considered a low-severity issue due to the limited use of NPN and the uncommon practice of specifying an empty list.

Recommendations For CPython versions 3.9 and earlier, as a temporary workaround, consider avoiding the use of an empty list for SSLContext.set npn protocols() until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2025:23342

ALSA-2025:23530

ALT-PU-2024-12993

ALT-PU-2024-14497

BDU:2025-11592

BIT-LIBPYTHON-2024-5642

BIT-PYTHON-2024-5642

BIT-PYTHON-MIN-2024-5642

CVE-2024-5642

ECHO-92BD-FC28-530B

OESA-2025-2637

OESA-2025-2638

OPENSUSE-SU-2024:14253-1

OPENSUSE-SU-2024:14256-1

OPENSUSE-SU-2024_3076-1

OPENSUSE-SU-2024_3470-1

PSF-2024-6

RHSA-2025:23342

SUSE-SU-2024:3076-1

SUSE-SU-2024:3351-1

SUSE-SU-2024:3353-1

SUSE-SU-2024:3470-1

SUSE-SU-2024_3076-1

SUSE-SU-2024_3353-1

SUSE-SU-2024_3470-1

Affected Products

Alt Linux

Almalinux

Cpython

Centos

Debian

Ibm Aix

Openssl

Red Hat

Red Os

Rocky Linux

Suse

CVE-2024-5642

Weakness Enumeration

Related Identifiers

Affected Products

References · 90