VulnerableCode Package Details - pkg:deb/debian/python3.11@0?distro=bookworm

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1uuu-3h7v-3bes		CVE-2024-4030
VCID-4558-j9sy-zkhn	CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.	CVE-2023-33595
VCID-6137-18w7-hqap		CVE-2025-4435
VCID-6nhv-kmna-nfh5	There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.	CVE-2024-3220
VCID-8kcs-tx37-nkca		CVE-2024-3219
VCID-cqde-7ptc-uuah		CVE-2024-12254
VCID-fggj-3rj4-fqcb		CVE-2024-5642
VCID-fy55-615v-fyfs		CVE-2026-4786
VCID-huaj-nmge-kuaj		CVE-2025-4330
VCID-k3um-zh86-abas		CVE-2025-4517
VCID-kx7z-47rq-uudg		CVE-2025-4138
VCID-ntft-rfz6-9kdr		CVE-2023-38898
VCID-qayb-9eug-23du	If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.	CVE-2026-3087
VCID-re25-vfea-auac	An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).	CVE-2023-6507
VCID-tdgk-e9p1-gqfy	The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.	CVE-2026-3298
VCID-yz72-pvqh-xucs		CVE-2024-12718

Vulnerability

Summary

Aliases

VCID-1uuu-3h7v-3bes

CVE-2024-4030

VCID-4558-j9sy-zkhn

CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.

CVE-2023-33595

VCID-6137-18w7-hqap

CVE-2025-4435

VCID-6nhv-kmna-nfh5

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.

CVE-2024-3220

VCID-8kcs-tx37-nkca

CVE-2024-3219

VCID-cqde-7ptc-uuah

CVE-2024-12254

VCID-fggj-3rj4-fqcb

CVE-2024-5642

VCID-fy55-615v-fyfs

CVE-2026-4786

VCID-huaj-nmge-kuaj

CVE-2025-4330

VCID-k3um-zh86-abas

CVE-2025-4517

VCID-kx7z-47rq-uudg

CVE-2025-4138

VCID-ntft-rfz6-9kdr

CVE-2023-38898

VCID-qayb-9eug-23du

If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability.

CVE-2026-3087

VCID-re25-vfea-auac

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

CVE-2023-6507

VCID-tdgk-e9p1-gqfy

The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windows only) was missing a boundary check for the data buffer when using nbytes parameter. This allowed for an out-of-bounds buffer write if data was larger than the buffer size. Non-Windows platforms are not affected.

CVE-2026-3298

VCID-yz72-pvqh-xucs

CVE-2024-12718

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-11T21:15:09.413409+00:00	Debian Importer	Fixing	VCID-fy55-615v-fyfs	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.341940+00:00	Debian Importer	Fixing	VCID-tdgk-e9p1-gqfy	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.312795+00:00	Debian Importer	Fixing	VCID-qayb-9eug-23du	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.162393+00:00	Debian Importer	Fixing	VCID-k3um-zh86-abas	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.126960+00:00	Debian Importer	Fixing	VCID-6137-18w7-hqap	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.106002+00:00	Debian Importer	Fixing	VCID-huaj-nmge-kuaj	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:09.084994+00:00	Debian Importer	Fixing	VCID-kx7z-47rq-uudg	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.800094+00:00	Debian Importer	Fixing	VCID-fggj-3rj4-fqcb	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.758246+00:00	Debian Importer	Fixing	VCID-1uuu-3h7v-3bes	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.736357+00:00	Debian Importer	Fixing	VCID-6nhv-kmna-nfh5	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.715364+00:00	Debian Importer	Fixing	VCID-8kcs-tx37-nkca	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.695411+00:00	Debian Importer	Fixing	VCID-yz72-pvqh-xucs	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.670902+00:00	Debian Importer	Fixing	VCID-cqde-7ptc-uuah	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.555758+00:00	Debian Importer	Fixing	VCID-re25-vfea-auac	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.483490+00:00	Debian Importer	Fixing	VCID-ntft-rfz6-9kdr	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-11T21:15:08.462836+00:00	Debian Importer	Fixing	VCID-4558-j9sy-zkhn	https://security-tracker.debian.org/tracker/data/json	38.6.0