Description
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Privilege escalation via arbitrary memory read/write in a privileged process during remote debugging
Action: Patch urgently
AI Analysis

Impact

The vulnerability allows the remote debugging feature in CPython to perform out‑of‑bounds memory operations that can read or write addresses in a privileged process. This flaw combines buffer overflow style misuse of memory pointers (CWE‑121) with unchecked bounds checking (CWE‑125). If achieved, an attacker could manipulate the target process’s memory, potentially leading to arbitrary code execution or other security breaches.

Affected Systems

Any Python installation using CPython’s built‑in remote debugging capability is affected. No specific version ranges are listed, so the issue applies to all releases that support this feature until a patch is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Exploitation requires the attacker to establish a persistent, repeated connection to the target process and may repeatedly crash the connecting process due to ASLR. The lack of an EPSS score and absence from the KEV catalog suggest that widespread exploitation is currently unlikely, but the potential for privilege escalation remains significant if the conditions are met.

Generated by OpenCVE AI on April 14, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CPython release that contains the fixed remote debugging logic
  • Disable the remote debugging feature on production hosts if it is not required
  • Audit system logs for repeated debugging connections to detect potential malicious activity
  • If immediate patching is not possible, restrict access to the debugging interface to trusted hosts only

Generated by OpenCVE AI on April 14, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-822
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description The Python remote debugging feature could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR. The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Title Out-of-bounds read/write during remote debugging when connecting to malicious target Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
References

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Python remote debugging feature could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Title Out-of-bounds read/write during remote debugging when connecting to malicious target
Weaknesses CWE-121
CWE-125
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-14T16:07:07.344Z

Reserved: 2026-04-06T17:16:14.111Z

Link: CVE-2026-5713

cve-icon Vulnrichment

Updated: 2026-04-14T15:49:35.525Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:48.717

Modified: 2026-04-14T17:16:54.363

Link: CVE-2026-5713

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T15:11:51Z

Links: CVE-2026-5713 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:22Z

Weaknesses