CVE-2024-0397 – A race condition in Python's ssl module allows ... (How to Fix)

Q: How do I fix CVE-2024-0397?

1. Identify Python version with 'python --version'. 2. Upgrade to patched version using package manager (apt/yum/pip) or download from python.org. 3. Restart all Python applications/services.

Q: What is the severity of CVE-2024-0397?

CVE-2024-0397 has a CVSS score of 7.4 (HIGH). A race condition in Python's ssl module allows concurrent calls to cert_store_stats() or get_ca_certs() while certificates are being loaded to cause memory corruption. This affects Python applications using SSL/TLS with certificate directories, potentially leading to crashes or arbitrary code execution. Systems running vulnerable Python versions with SSL/TLS enabled are at risk.

📋 TL;DR

A race condition in Python's ssl module allows concurrent calls to cert_store_stats() or get_ca_certs() while certificates are being loaded to cause memory corruption. This affects Python applications using SSL/TLS with certificate directories, potentially leading to crashes or arbitrary code execution. Systems running vulnerable Python versions with SSL/TLS enabled are at risk.

💻 Affected Systems

Products:

Python
Applications using Python's ssl module

Versions: Python 3.10.x < 3.10.14, 3.11.x < 3.11.9, 3.12.x < 3.12.3, 3.13.x < 3.13.0a5

Operating Systems: All operating systems running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using SSL/TLS with certificate directories configured and calling the affected methods concurrently with certificate loading.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, potentially allowing full system compromise.

🟠

Likely Case

Application crashes or denial of service due to memory corruption.

🟢

If Mitigated

No impact if race condition doesn't trigger or if proper error handling exists.

🌐 Internet-Facing: MEDIUM - Requires specific timing and SSL/TLS configuration with certificate directories.

🏢 Internal Only: LOW - Same requirements as internet-facing, but reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires precise timing and specific SSL/TLS configuration.

Exploitation requires race condition triggering during certificate loading operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.10.14, 3.11.9, 3.12.3, 3.13.0a5

Vendor Advisory: https://github.com/python/cpython/security/advisories

Restart Required: Yes

Instructions:

1. Identify Python version with 'python --version'. 2. Upgrade to patched version using package manager (apt/yum/pip) or download from python.org. 3. Restart all Python applications/services.

🔧 Temporary Workarounds

Avoid concurrent certificate operations

all

Prevent calling cert_store_stats() or get_ca_certs() while certificates are being loaded.

Disable certificate directory loading

all

Use static certificate configurations instead of dynamic directory loading.

🧯 If You Can't Patch

Implement application-level locking around SSL certificate operations
Monitor for application crashes and implement automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check Python version and verify if using SSL/TLS with certificate directories and concurrent calls to affected methods.

Check Version:

python --version

Verify Fix Applied:

Confirm Python version is 3.10.14+, 3.11.9+, 3.12.3+, or 3.13.0a5+ using 'python --version'.

📡 Detection & Monitoring

Log Indicators:

Python segmentation faults
SSL/TLS handshake failures
Memory corruption errors

Network Indicators:

TLS connection resets
Unexpected SSL/TLS protocol errors

SIEM Query:

source="*python*" AND ("segmentation fault" OR "memory corruption" OR "SSL error")

📊 Metadata

CVE ID: CVE-2024-0397

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-362

Published: June 17, 2024

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0397, you might also want to check these: