—

CVE-2026-5713EXPLOITEDPATCHED

python software foundation · python

Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

Description

The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.

Affected Products

Vendor	Product	Versions
python software foundation	python	3.14.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	python	cert_advisory	90%

References

https://github.com/python/cpython/pull/148187(patch)
https://github.com/python/cpython/issues/148178(issue-tracking)
https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/(vendor-advisory)
https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67(patch)

Related News (5 articles)

Tier B

BSI Advisories4d ago

[UPDATE] [mittel] Python: Mehrere Schwachstellen ermöglichen Denial of Service

→ No new info (linked only)

Tier C

oss-security4d ago

[oss-security][CVE-2026-5713] CPython: Out-of-bounds read/write during remote debugging when connecting to malicious target

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [mittel] CPython: Schwachstelle ermöglicht Manipulation von Daten

→ No new info (linked only)

Tier B

CERT-FR5d ago

Vulnérabilité dans Python (15 avril 2026)

→ No new info (linked only)

Tier C

VulDB5d ago

CVE-2026-5713 | Python CPython up to 3.14.x profiling.sampling/asyncio stack-based overflow (ID 148178)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.15.0

CWECWE-121, CWE-125

PublishedApr 14, 2026

Last enriched4d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-4786EXP

Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

Trending: 58

NONECVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

Trending: 23

NONECVE-2026-3446EXP

Base64 decoding stops at first padded quad by default

Trending: 19

NONECVE-2026-3644

Incomplete control character validation in http.cookies

Trending: 17

HIGHCVE-2026-34591EXP

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Trending: 9

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: description, affectedVersions, severity

Apr 14, 2026

Updated: description, affectedVersions, exploitAvailable, activelyExploited

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Exploit Available

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

Last enriched 4d ago

v3Tier C4d ago

Updated description to include remote debugging context, added affected version 3.14.1, and marked exploit availability and active exploitation as true.

descriptionaffectedVersionsexploitAvailableactivelyExploited

via oss-security

v2Tier C5d ago

Updated severity to CRITICAL, added new description detailing stack-based buffer overflow, and corrected vendor and product names.

descriptionaffectedVersionsseverity

via VulDB

v15d ago

Initial creation