Vulnerability Description
The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4
- https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f
- https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd74
- https://github.com/python/cpython/issues/148808
- https://github.com/python/cpython/pull/148809
- https://mail.python.org/archives/list/[email protected]/thread/KWTPIQ
FAQ
What is CVE-2026-3298?
CVE-2026-3298 is a documented vulnerability. The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer w...
How severe is CVE-2026-3298?
CVSS scoring is not yet available for CVE-2026-3298. Check NVD for updates.
Is there a patch for CVE-2026-3298?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.