Description
The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Published: 2026-04-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Read/Write
Action: Mitigate
AI Analysis

Impact

The vulnerability affects Python's profiling.sampling module and asyncio introspection tools, allowing a malicious or infected Python process to perform out-of-bounds read and write operations in a privileged target process that connects via the remote debugging feature. This can lead to leakage of sensitive memory or modification of memory contents, potentially compromising confidentiality or integrity of the privileged process.

Affected Systems

Python CPython 3.15+ for the profiling.sampling module and Python CPython 3.14+ for asyncio introspection commands (python -m asyncio ps and python -m asyncio pstree).

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Because the exploit requires a persistent remote debugging connection to a privileged process, the attack vector is likely remote or local with privileged access. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, so no known active exploitation is documented. The need for repeated connections and the high likelihood of crashing due to ASLR suggests that while exploitation is possible, it may require significant effort and expertise.

Generated by OpenCVE AI on April 15, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether the remote debugging feature is enabled in the Python runtime.
  • Disable or restrict the remote debugging feature and limit access to the asyncio introspection commands.
  • Monitor logs for unauthorized remote debugging activity and ensure only trusted processes connect.
  • Plan to upgrade to a CPython release that contains the fix when it becomes available.

Generated by OpenCVE AI on April 15, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-822
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description The Python remote debugging feature could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR. The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Title Out-of-bounds read/write during remote debugging when connecting to malicious target Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target
References

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Python remote debugging feature could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.
Title Out-of-bounds read/write during remote debugging when connecting to malicious target
Weaknesses CWE-121
CWE-125
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-15T17:24:22.172Z

Reserved: 2026-04-06T17:16:14.111Z

Link: CVE-2026-5713

cve-icon Vulnrichment

Updated: 2026-04-15T17:24:22.172Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:48.717

Modified: 2026-04-17T15:11:35.840

Link: CVE-2026-5713

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-14T15:11:51Z

Links: CVE-2026-5713 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses