This vulnerability was reported to MITRE without a report to the Python Security Response Team (security@python.org). Thanks to Samuel Henrique for reporting this vulnerability to the PSRT for a proper advisory to be published. Reports for vulnerabilities in Python should be sent to the PSRT to ensure an advisory is published properly.

Description

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Affected versions

Python 3.9.0a1 to 3.9.0a2 *
Python 3.8.0 to 3.8.1
Python 3.7.0 to 3.7.6 **
Python 3.6.10 and earlier **

* Pre-release versions of Python are not recommended for production use.

** Note that Python 3.7.17 and earlier will not be receiving an upstream
security fix due to being end-of-life (https://devguide.python.org/versions) contact your distributor of Python for additional guidance.

Remediation and work-arounds

Upgrade to Python 3.9.0, 3.8.2, 3.7.7, or 3.6.11.
Apply a patch for your corresponding version of Python

Patches are available for all supported feature, bugfix, and security branches of Python:

References

Credits

Reporter: Samuel Henrique