High-Severity Memory Corruption Flaw Discovered in Python’s asyncio on Windows
A critical security vulnerability (CVE-2026-3298) was disclosed on April 21, 2026, affecting Python’s asyncio module on Windows systems. The flaw, identified by Python security developer Seth Larson, enables out-of-bounds (OOB) memory writes in the sock_recvfrom_into() method of asyncio.ProactorEventLoop, a Windows-specific event loop for asynchronous I/O operations.
The issue stems from a missing boundary check when the optional nbytes parameter is used. If network data exceeds the pre-allocated buffer size, Python fails to enforce limits, allowing excess data to overwrite adjacent memory. This can lead to memory corruption, application crashes, or under specific conditions arbitrary code execution.
The vulnerability is exclusive to Windows, as other platforms (Linux, macOS, Unix) use the unaffected SelectorEventLoop backend. Systems at risk include Windows-hosted Python web servers, API backends, and applications using UDP socket operations or variable-length network data in fixed-size buffers.
Given the widespread use of ProactorEventLoop as the default event loop since Python 3.8, the flaw impacts a broad range of modern Python deployments on Windows. The Python security team classified it as high severity, citing the potential for exploitation in memory corruption attacks.
A patch (GitHub PR #148809) has been submitted, introducing the missing boundary check to prevent buffer overflows. Users are advised to monitor the official CVE record for patched version details and apply updates promptly. Until then, avoiding sock_recvfrom_into() with nbytes in untrusted environments is recommended.
Source: https://gbhackers.com/python-vulnerability-enables-out-of-bounds/
Python Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/thepsf
"id": "THE1777019202",
"linkid": "thepsf",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Python 3.8+ on Windows '
'using asyncio.ProactorEventLoop',
'industry': 'Technology',
'location': 'Global',
'name': 'Python Software Foundation',
'type': 'Software Vendor'}],
'attack_vector': 'Network',
'customer_advisories': 'Users are advised to avoid `sock_recvfrom_into()` '
'with *nbytes* in untrusted environments until the '
'patch is applied.',
'date_publicly_disclosed': '2026-04-21',
'description': 'A critical security vulnerability (CVE-2026-3298) was '
'disclosed affecting Python’s *asyncio* module on Windows '
'systems. The flaw enables out-of-bounds (OOB) memory writes '
'in the `sock_recvfrom_into()` method of '
'`asyncio.ProactorEventLoop`, leading to memory corruption, '
'application crashes, or arbitrary code execution under '
'specific conditions. The issue stems from a missing boundary '
'check when the optional *nbytes* parameter is used.',
'impact': {'operational_impact': 'Application crashes, potential arbitrary '
'code execution',
'systems_affected': 'Windows-hosted Python applications using '
'asyncio.ProactorEventLoop'},
'post_incident_analysis': {'corrective_actions': 'Introduce boundary checks '
'to prevent buffer overflows',
'root_causes': 'Missing boundary check in '
'`sock_recvfrom_into()` method of '
'`asyncio.ProactorEventLoop`'},
'recommendations': 'Apply the patch (GitHub PR #148809) promptly and monitor '
'the official CVE record for updates.',
'references': [{'source': 'Python Security Team',
'url': 'https://github.com/python/cpython/pull/148809'}],
'response': {'containment_measures': 'Avoid using `sock_recvfrom_into()` with '
'*nbytes* in untrusted environments',
'remediation_measures': 'Patch (GitHub PR #148809) introducing '
'boundary checks'},
'title': 'High-Severity Memory Corruption Flaw in Python’s asyncio on Windows',
'type': 'Memory Corruption',
'vulnerability_exploited': 'CVE-2026-3298'}