Python vulnerability on Windows can trigger out-of-bounds writes in asyncio socket handling

A newly disclosed Python vulnerability affects Windows systems that use asyncio for network operations. The flaw, tracked as CVE-2026-3298, stems from a missing boundary check in sock_recvfrom_into() and can let incoming network data write past the end of the destination buffer. Non-Windows platforms are not affected.

The issue matters because out-of-bounds writes can corrupt memory and destabilize applications. The GitHub advisory rates the bug as high severity with a CVSS 4.0 score of 8.8, and the CVE record confirms the bug only affects Windows implementations of this asyncio path.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The vulnerable code path involves the nbytes parameter in sock_recvfrom_into(). According to the advisory, Python failed to verify that the received data would fit inside the provided buffer before writing to it.

What is affected

This is a Windows-only problem. The CPython issue report says the bug was tested on Windows, and the advisory explicitly says non-Windows platforms are not affected.

The flaw sits in asyncio’s Windows event-loop implementation, which the advisory describes as asyncio.ProacterEventLoop and the CPython issue tracks under asyncio.AbstractEventLoop.sock_recvfrom_into(). The naming differs between sources, but both point to the same Windows-side receive path and the same missing buffer-length validation.

Only applications that use this API path are exposed. In practice, that means Windows Python deployments using asyncio-based socket receive operations with sock_recvfrom_into() and the nbytes parameter deserve immediate review. This is an inference from the advisory description and linked CPython issue.

What Python has done so far

The vulnerability became public on April 21, 2026. The GitHub advisory and CVE record both list that date, while the CPython issue was opened on April 20, 2026 by Seth Larson.

CPython has already prepared a fix. The security issue links to pull request #148809, and the issue page also shows follow-up backport PRs for the 3.11, 3.12, 3.13, and 3.14 branches.

What is still unclear is the exact list of released patched versions. The GitHub advisory currently lists affected and patched versions as unknown, so it is safer to point readers to official Python release notes and security announcements instead of naming versions without confirmation.

At a glance

What developers should do now

• Check Windows Python applications that use asyncio socket receive operations, especially any code paths using sock_recvfrom_into() with nbytes.
• Watch Python’s official security announcements and release pages for confirmed patched versions before rollout planning.
• Treat this as a high-priority update for network-facing Windows services, since the advisory marks the bug as network exploitable with no required privileges or user interaction.
• Track the linked CPython fix and backports if you maintain embedded or pinned Python runtimes.

FAQ