https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Fri, 19 Jun 2026 16:34:13 +0000 https://vulnerability.circl.lu/sighting/a545e4a7-cf78-423d-ac70-3d2bdf1315a0/export {"uuid": "a545e4a7-cf78-423d-ac70-3d2bdf1315a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-CHGR-C6PX-7XPP", "type": "seen", "source": "https://gist.github.com/alon710/7781242dd6423ae75e05b31377b89606", "content": "# GHSA-CHGR-C6PX-7XPP: GHSA-chgr-c6px-7xpp: Thread-Safety Data Race in PyO3 Closure Wrapping\n\n> **CVSS Score:** 5.9\n> **Published:** 2026-06-12\n> **Full Report:** https://cvereports.com/reports/GHSA-CHGR-C6PX-7XPP\n\n## Summary\nA thread-safety vulnerability exists in the PyO3 library versions prior to 0.29.0 due to a missing Sync trait bound on closure type parameters. This omission allows safe Rust code to register non-thread-safe closures as Python callables, leading to concurrent shared mutation and data races during multithreaded execution.\n\n## TL;DR\nMissing Sync bound in PyO3 allows thread-unsafe closures (capturing Cell or RefCell) to compile, resulting in data races and memory corruption when concurrently executed by Python threads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)\n- **Attack Vector**: Network\n- **Attack Complexity**: High\n- **CVSS v4.0 Vector**: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\n- **EPSS Score**: N/A\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyo3 crate\n- Rust-Python applications utilizing PyO3 closures\n- **pyo3**: >= 0.15.0, < 0.29.0 (Fixed in: `0.29.0`)\n\n## Mitigation\n\n- Upgrade pyo3 dependency to version 0.29.0 or higher.\n- Replace non-Sync types like Cell and RefCell inside closures with thread-safe types like Mutex, RwLock, or atomic integers.\n- Audit all calls to PyCFunction::new_closure and PyCFunction::new_closure_bound to verify compile-time validation.\n\n**Remediation Steps:**\n1. Open the Cargo.toml file of your Rust project.\n2. Locate the pyo3 dependency entry.\n3. Update the pyo3 version to 0.29.0 or later: pyo3 = { version = '0.29.0' }.\n4. Run cargo build to trigger the compiler's static analysis.\n5. Address any compilation errors related to non-Sync types inside closures by replacing them with thread-safe alternatives.\n\n## References\n\n- [GitHub Advisory: GHSA-CHGR-C6PX-7XPP](https://github.com/advisories/GHSA-CHGR-C6PX-7XPP)\n- [RustSec Advisory Database: RUSTSEC-2026-0177](https://rustsec.org/advisories/RUSTSEC-2026-0177.html)\n- [PyO3 Pull Request #6096: Add Sync bound to closure in PyCFunction::new_closure](https://github.com/PyO3/pyo3/pull/6096)\n- [PyO3 Release v0.29.0](https://github.com/PyO3/pyo3/releases/tag/v0.29.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-CHGR-C6PX-7XPP) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T11:41:32.000000Z"} {"uuid": "a545e4a7-cf78-423d-ac70-3d2bdf1315a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-CHGR-C6PX-7XPP", "type": "seen", "source": "https://gist.github.com/alon710/7781242dd6423ae75e05b31377b89606", "content": "# GHSA-CHGR-C6PX-7XPP: GHSA-chgr-c6px-7xpp: Thread-Safety Data Race in PyO3 Closure Wrapping\n\n> **CVSS Score:** 5.9\n> **Published:** 2026-06-12\n> **Full Report:** https://cvereports.com/reports/GHSA-CHGR-C6PX-7XPP\n\n## Summary\nA thread-safety vulnerability exists in the PyO3 library versions prior to 0.29.0 due to a missing Sync trait bound on closure type parameters. This omission allows safe Rust code to register non-thread-safe closures as Python callables, leading to concurrent shared mutation and data races during multithreaded execution.\n\n## TL;DR\nMissing Sync bound in PyO3 allows thread-unsafe closures (capturing Cell or RefCell) to compile, resulting in data races and memory corruption when concurrently executed by Python threads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization)\n- **Attack Vector**: Network\n- **Attack Complexity**: High\n- **CVSS v4.0 Vector**: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\n- **EPSS Score**: N/A\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pyo3 crate\n- Rust-Python applications utilizing PyO3 closures\n- **pyo3**: >= 0.15.0, < 0.29.0 (Fixed in: `0.29.0`)\n\n## Mitigation\n\n- Upgrade pyo3 dependency to version 0.29.0 or higher.\n- Replace non-Sync types like Cell and RefCell inside closures with thread-safe types like Mutex, RwLock, or atomic integers.\n- Audit all calls to PyCFunction::new_closure and PyCFunction::new_closure_bound to verify compile-time validation.\n\n**Remediation Steps:**\n1. Open the Cargo.toml file of your Rust project.\n2. Locate the pyo3 dependency entry.\n3. Update the pyo3 version to 0.29.0 or later: pyo3 = { version = '0.29.0' }.\n4. Run cargo build to trigger the compiler's static analysis.\n5. Address any compilation errors related to non-Sync types inside closures by replacing them with thread-safe alternatives.\n\n## References\n\n- [GitHub Advisory: GHSA-CHGR-C6PX-7XPP](https://github.com/advisories/GHSA-CHGR-C6PX-7XPP)\n- [RustSec Advisory Database: RUSTSEC-2026-0177](https://rustsec.org/advisories/RUSTSEC-2026-0177.html)\n- [PyO3 Pull Request #6096: Add Sync bound to closure in PyCFunction::new_closure](https://github.com/PyO3/pyo3/pull/6096)\n- [PyO3 Release v0.29.0](https://github.com/PyO3/pyo3/releases/tag/v0.29.0)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-CHGR-C6PX-7XPP) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T11:41:32.000000Z"} https://vulnerability.circl.lu/sighting/a545e4a7-cf78-423d-ac70-3d2bdf1315a0/export Mon, 15 Jun 2026 11:41:32 +0000