{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3298", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-02-26T20:12:47.041Z", "datePublished": "2026-04-21T14:45:01.919Z", "dateUpdated": "2026-04-21T20:19:01.610Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"lessThan": "3.15.0", "status": "affected", "version": "3.11.0", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "GGAutomaton (https://github.com/GGAutomaton)"}, {"lang": "en", "type": "remediation reviewer", "value": "Victor Stinner (https://github.com/vstinner)"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson (https://github.com/sethmlarson)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"type": "text/html", "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."}], "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-21T20:19:01.610Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/148809"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/148808"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"}], "source": {"discovery": "UNKNOWN"}, "title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:15:36.206348Z", "id": "CVE-2026-3298", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:15:44.557Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3298", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:15:36.206348Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:15:41.466Z"}}], "cna": {"title": "Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "GGAutomaton (https://github.com/GGAutomaton)"}, {"lang": "en", "type": "remediation reviewer", "value": "Victor Stinner (https://github.com/vstinner)"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson (https://github.com/sethmlarson)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "3.11.0", "lessThan": "3.15.0", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/148809", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/148808", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.", "supportingMedia": [{"type": "text/html", "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds write"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-21T20:19:01.610Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3298", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:19:01.610Z", "dateReserved": "2026-02-26T20:12:47.041Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-04-21T14:45:01.919Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The method \"sock_recvfrom_into()\" of \"asyncio.ProacterEventLoop\" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected."}], "id": "CVE-2026-3298", "lastModified": "2026-04-21T21:16:41.937", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-04-21T15:16:37.047", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/1274766d3c29007ab77245a72abbf8dce2a9db4d"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/27522b7d6e6588f03e61099dd858cd5a9314e2f2"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/95633d2aad4721e25e4dfd9f43dfb6e1edcbd741"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/148808"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/148809"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/KWTPIQBOOOUNQP7UFSLBI437NJDFLA3F/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "cna@python.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.11.0,3.15.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-04-21T22:46:07.407205+00:00", "value": {"mitigation_remediation": ["Upgrade CPython to the latest release that includes the fix from the referenced pull request", "If an immediate upgrade is not possible, restrict or validate the nbytes parameter so it never exceeds the buffer size, or apply the patch manually from the PR", "Monitor Python processes for abnormal crashes or memory corruption and investigate any suspicious activity"], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds write leading to memory corruption that could enable arbitrary code execution or crash"}, "threat_synthesis": {"affected_systems": "The flaw affects CPython releases running on Windows. All Windows builds of CPython that use asyncio.ProactorEventLoop and call sock_recvfrom_into() are potentially vulnerable. The vulnerability is not present on non\u2011Windows platforms.", "description_and_impact": "The vulnerability exists in the Windows implementation of asyncio.ProactorEventLoop.sock_recvfrom_into(). The method lacks a boundary check for the buffer when the nbytes parameter is specified, allowing a caller to write beyond the allocated memory. This out\u2011of\u2011bounds write is a classic buffer overflow (CWE\u2011787). If exploited, an attacker could corrupt memory, potentially leading to remote or local code execution, or destabilize the process with a denial\u2011of\u2011service.", "risk_and_exploitability": "The CVSS score is 8.8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no publicly known exploits yet. An attacker would need to induce a vulnerable Python application to receive a socket payload larger than the specified nbytes, which typically requires remote network interaction or local privilege depending on the application's socket exposure. Because the flaw manifests as a buffer overflow, exploitation would likely provide local code execution if the attacker can exercise the vulnerable function."}}}}, "created": "2026-04-21T17:00:11.938194+00:00", "updated": "2026-04-21T23:00:03.476498+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}