Description
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
Published: 2025-05-15
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Workaround
AI Analysis

Impact

A use‑after‑free flaw exists in CPython’s unicode_escape decoder when the error handler parameter is set to "ignore" or "replace". The bug can corrupt memory in the interpreter, potentially leading to application crashes or, if an attacker can supply crafted input, to more severe consequences such as arbitrary code execution. The CVSS score of 5.9 reflects a moderate impact and the flaw is a classic use‑after‑free. The description does not indicate remote code execution in normal usage, but the underlying weakness remains a serious memory corruption risk.

Affected Systems

The vulnerability affects CPython implementations from the Python Software Foundation. No specific versions are listed in the CNA data; all releases that allow the use of bytes.decode("unicode_escape", error="ignore|replace") are potentially impacted until a patch is released.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low likelihood of exploitation in the wild at this time. The CVSS score shows moderate severity, and the vulnerability is not currently listed in the CISA KEV catalog. Most likely the attack vector requires code that runs in the context of the vulnerable Python interpreter and supplies input that triggers the UnicodeDecodeError path. In typical deployments an attacker would need to supply crafted byte sequences that hit the error handler logic. Given the low EPSS and lack of public exploit activity, the immediate risk to most systems is low, although the memory corruption remains a serious concern if the flaw is exercised.

Generated by OpenCVE AI on April 22, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Refactor any use of bytes.decode("unicode_escape", error="ignore" or "replace") to avoid these error handlers, using the default error handling or explicit exception handling instead.
  • Wrap bytes.decode("unicode_escape", ...) calls in a try‑except block that catches UnicodeDecodeError and handles the data safely.
  • Keep CPython updated; apply official patches once available that fix the use‑after‑free; monitor Python security advisories for new releases.

Generated by OpenCVE AI on April 22, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4445-1 python3.9 security update
EUVD EUVD EUVD-2025-15156 There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
Ubuntu USN Ubuntu USN USN-7570-1 Python vulnerabilities
History

Mon, 07 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 03 Jun 2025 13:30:00 +0000

Type Values Removed Values Added
References

Mon, 19 May 2025 10:30:00 +0000

Type Values Removed Values Added
References

Fri, 16 May 2025 18:45:00 +0000

Type Values Removed Values Added
References

Thu, 15 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 May 2025 14:00:00 +0000

Type Values Removed Values Added
References

Thu, 15 May 2025 13:45:00 +0000

Type Values Removed Values Added
Description There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
Title Use-after-free in "unicode_escape" decoder with error handler
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-21T20:16:47.161Z

Reserved: 2025-05-09T14:59:53.878Z

Link: CVE-2025-4516

cve-icon Vulnrichment

Updated: 2025-05-19T10:03:31.542Z

cve-icon NVD

Status : Deferred

Published: 2025-05-15T14:15:31.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4516

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-15T13:29:20Z

Links: CVE-2025-4516 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses