CVE-2024-5642

Buffer overread when using an empty list with SSLContext.set_npn_protocols()

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.49%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html third party advisory
https://github.com/python/cpython/pull/23014 mitigation
https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/ vendor advisory
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e patch
http://www.openwall.com/lists/oss-security/2024/06/28/4
https://github.com/python/cpython/issues/121227 issue tracking
https://security.netapp.com/advisory/ntap-20240726-0005/

Frequently Asked Questions

What is the severity of CVE-2024-5642?
CVE-2024-5642 has been scored as a medium severity vulnerability.
How to fix CVE-2024-5642?
To fix CVE-2024-5642, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-5642 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-5642 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5642?
CVE-2024-5642 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.