Python asyncio Vulnerability Exposes Windows Systems to Remote Code Execution
Take action: If you're running Python applications on Windows (versions 3.11 through 3.14) that use asyncio for network communication, upgrade to the latest patched Python version as soon as it's available. Until then, avoid using the sock_recvfrom_into() method with untrusted network traffic, and watch for unexpected crashes on your Windows Python servers.
Learn More
The Python Software Foundation disclosed a high-severity vulnerability in the asyncio module that affects Windows systems that allows for memory corruption and potential code execution when processing network data.
The flaw is tracked as CVE-2026-3298 (CVSS score 3.1 of 9.8 and 4.0 of 8.8), An out-of-bounds write vulnerability in the sock_recvfrom_into() method of asyncio.ProactorEventLoop that occurs due to a missing boundary check on the nbytes parameter. When an application receives network data larger than the allocated buffer, the system fails to enforce limits and overwrites adjacent memory regions. This mechanism allows remote attackers to trigger application crashes or run arbitrary code by sending specially crafted network responses.
The impact of this flaw is limited to Windows platforms, as Linux and macOS use the SelectorEventLoop backend which does not contain the vulnerable code. Windows-hosted web servers, API backends, and services using asynchronous UDP communication are at the highest risk. Exploitation can lead to total system compromise if the attacker successfully chains the memory corruption with other primitives to gain control over the execution flow. Organizations processing variable-length network input into fixed buffers are particularly exposed.
The vulnerability affects CPython versions 3.11.0 through versions prior to 3.15.0. Python security developer Seth Larson identified the issue and confirmed that versions earlier than 3.11 are unaffected because the specific sock_recvfrom_into() function was not yet implemented. Developers can track the fix progress through GitHub Pull Request #148809, which introduces the necessary boundary checks to the asyncio core.
Administrators should upgrade Python installations to the latest patched versions as soon as they become available. If immediate patching is not possible, developers should avoid using the sock_recvfrom_into() method with the nbytes parameter when handling untrusted network traffic. Monitoring for unusual application crashes or memory allocation errors on Windows-based Python servers can help identify potential exploitation attempts.
