CVE-2024-9979

Name of the Vulnerable Software and Affected Versions PyO3 versions prior to 0.22.4 PyO3 version 0.22.4 (with mitigated functions, to be fully removed in 0.23)

Description A flaw was found in PyO3, causing a use-after-free issue. This can lead to memory corruption or crashes through unsound borrowing from weak Python references. The issue arises because the weak reference does not have ownership of the value, and the last strong reference could be cleared at any point, making the borrowed value dangling.

Recommendations For PyO3 versions prior to 0.22.4, update to version 0.22.4 to leverage the mitigated functions. For PyO3 version 0.22.4, consider avoiding the use of deprecated functions that read "borrowed" values from Python weak references until they are fully removed in version 0.23. For all affected versions, await the release of PyO3 0.23, which will remove the problematic functions entirely.