rustsec-2026-0177
Vulnerability from osv_rustsec
PyCFunction::new_closure (and the temporary new_closure_bound complement in
the 0.21–0.22 series) required the supplied closure to be Send + 'static but
not Sync. The resulting PyCFunction is a Python callable that can be
invoked from any Python thread, which means the closure may be called
concurrently from multiple threads, and needs a Sync bound to prevent
possible data races.
The problem exists under all Python versions but is particularly vulnerable under
the newer free-threaded Python variant, which do not have serial execution
imposed by the Global Interpreter Lock. Under releases protected by the GIL,
the ability to "detach" from the Python interpreter temporarily inside the closure
(e.g. by Python::detach) makes it possible for interleaved and/or concurrent
execution of various portions of the closure.
PyO3 0.29.0 added a Sync bound to close this thread-safety bug.
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [
"thread-safety"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"pyo3::types::PyCFunction::new_closure",
"pyo3::types::PyCFunction::new_closure_bound"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "pyo3",
"purl": "pkg:cargo/pyo3"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.29.0"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-chgr-c6px-7xpp"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "`PyCFunction::new_closure` (and the temporary `new_closure_bound` complement in\nthe 0.21\u20130.22 series) required the supplied closure to be `Send + \u0027static` but\nnot `Sync`. The resulting `PyCFunction` is a Python callable that can be\ninvoked from any Python thread, which means the closure may be called\nconcurrently from multiple threads, and needs a `Sync` bound to prevent\npossible data races.\n\nThe problem exists under all Python versions but is particularly vulnerable under\nthe newer free-threaded Python variant, which do not have serial execution\nimposed by the Global Interpreter Lock. Under releases protected by the GIL,\nthe ability to \"detach\" from the Python interpreter temporarily inside the closure\n(e.g. by `Python::detach`) makes it possible for interleaved and/or concurrent\nexecution of various portions of the closure.\n\nPyO3 0.29.0 added a `Sync` bound to close this thread-safety bug.",
"id": "RUSTSEC-2026-0177",
"modified": "2026-06-13T06:16:34Z",
"published": "2026-06-11T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/pyo3"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0177.html"
},
{
"type": "WEB",
"url": "https://github.com/PyO3/pyo3/pull/6096"
}
],
"related": [],
"severity": [],
"summary": "Missing `Sync` bound on `PyCFunction::new_closure` closures"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.