CVE-2024-0397

Advisory lineage Upstream: 0 Downstream: 27
Deferred
Published: 17 Jun 2024, 15:09
Last modified:03 Nov 2025, 21:50

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.4 HIGH
v3.1 (cve.org)
EPSS Score
0.4% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

17 Jun 2024, 15:09
Published
Vulnerability first disclosed
03 Nov 2025, 21:50
Last Modified
Vulnerability information updated

Description

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

CVSS Metrics

  • v3.1HIGHScore: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Trends

Current EPSS score: 0.40% Percentile: 61%

Techniques & Countermeasures

  • CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

  • python software foundationcpython

    < 3.8.20 | ≥ 3.9.0, < 3.9.20 | ≥ 3.10.0, < 3.10.14 | ≥ 3.11.0, < 3.11.9 | ≥ 3.12.0, < 3.12.3 | ≥ 3.13.0a1, < 3.13.0a5

References (12)