Is pyo3 affected by CVE-2024-9979?

crates.io pyo3 is affected in >=0.22.0 <0.22.4.

Is CVE-2024-9979 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

medium

CVE-2024-9979

Q: Is CVE-2024-9979 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

crates.io · pyo3

Summary

PyO3 has a risk of use-after-free in `borrowed` reads from Python weak references

Severity: medium
EPSS: 0.2% (p10)
Also known as: GHSA-6jgw-rgmm-7cv6, RUSTSEC-2024-0378
Published: 2024-10-15

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9979
https://github.com/PyO3/pyo3/pull/4590
https://access.redhat.com/security/cve/CVE-2024-9979

Related advisories

GHSA-36hh-v3qg-5jq4 — high · crates.io/pyo3
GHSA-47qc-857f-7w7f — high · crates.io/pyo3
GHSA-chgr-c6px-7xpp — medium · crates.io/pyo3
GHSA-pph8-gcv7-4qj5 — medium · crates.io/pyo3
GHSA-vxcf-c7mx-pg53 — medium · crates.io/pyo3

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.