CVE-2022-48560

7.5 HIGH

📋 TL;DR

CVE-2022-48560 is a use-after-free vulnerability in Python's heapq.heappushpop function that can lead to memory corruption. This affects Python applications using heapq module, potentially allowing attackers to crash applications or execute arbitrary code. All Python users through version 3.9 are affected.

💻 Affected Systems

Products:

Python
Applications using Python heapq module

Versions: Python versions through 3.9

Operating Systems: All operating systems running affected Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using heapq.heappushpop function

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Application crash (denial of service) or memory corruption

🟢

If Mitigated

Limited impact if application runs with minimal privileges and proper sandboxing

🌐 Internet-Facing: MEDIUM - Requires attacker to trigger vulnerable heap operation

🏢 Internal Only: LOW - Requires local access or specific application functionality

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires triggering specific heap operations; no public exploits known

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.10.0 and later

Vendor Advisory: https://bugs.python.org/issue39421

Restart Required: Yes

Instructions:

1. Upgrade Python to version 3.10.0 or later
2. Restart all Python applications and services
3. Rebuild any Python virtual environments

🔧 Temporary Workarounds

Avoid heapq.heappushpop

all

Replace heapq.heappushpop calls with separate heappush and heappop operations

# Replace: heapq.heappushpop(heap, item)
# With: heapq.heappush(heap, item)
#        heapq.heappop(heap)

🧯 If You Can't Patch

Implement strict input validation for heap operations
Run Python applications with minimal privileges and memory limits

🔍 How to Verify

Check if Vulnerable:

Check Python version: python --version or python3 --version

Check Version:

python --version

Verify Fix Applied:

Verify Python version is 3.10.0 or later

📡 Detection & Monitoring

Log Indicators:

Python segmentation faults
Memory access violation errors
Heap corruption warnings

Network Indicators:

None specific - this is a local memory corruption vulnerability

SIEM Query:

source="*python*" AND ("segmentation fault" OR "memory corruption" OR "heap")

📊 Metadata

CVE ID: CVE-2022-48560

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: August 22, 2023

Last Updated: November 21, 2024

🔗 References