CVE-2026-5713

CVSS v4.0

5.3

Medium

Vector

AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions CPython versions 3.14 and later

Description The profiling.sampling module and asyncio introspection capabilities, specifically the 'python -m asyncio ps' and 'python -m asyncio pstree' commands, allow for out-of-bounds read and write operations of addresses in a privileged process. This occurs if the privileged process connects to a malicious Python process through the remote debugging feature. Exploitation requires persistent and repeated connections to the process, as Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—makes the connecting process likely to crash.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Out of bounds Read

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-121

Related Identifiers

ALSA-2026:19019

ALSA-2026:19176

BIT-LIBPYTHON-2026-5713

BIT-PYTHON-2026-5713

BIT-PYTHON-MIN-2026-5713

CVE-2026-5713

OPENSUSE-SU-2026:10648-1

PSF-2026-19

RHSA-2026:7443

RHSA-2026:8822

RHSA-2026:8824

RHSA-2026:9228

Affected Products

Cpython

Rocky Linux

CVE-2026-5713

Weakness Enumeration

Related Identifiers

Affected Products

References · 50