Description
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
References (12)
Core 12
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250411-0006/
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/114572
Issue Tracking patch
https://github.com/python/cpython/pull/114573
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/
Scores
CVSS v3
7.4
EPSS
0.0038
EPSS Percentile
59.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-362
Status
published
Products (6)
Python Software Foundation/CPython
< 3.8.20
Python Software Foundation/CPython
3.10.0 - 3.10.14
Python Software Foundation/CPython
3.11.0 - 3.11.9
Python Software Foundation/CPython
3.12.0 - 3.12.3
Python Software Foundation/CPython
3.13.0a1 - 3.13.0a5
Python Software Foundation/CPython
3.9.0 - 3.9.20
Published
Jun 17, 2024
Tracked Since
Feb 18, 2026