Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3219

CVE-2024-3219: Python Socket Module Race Condition Flaw

CVE-2024-3219 is a race condition flaw in Python's socket module affecting Windows platforms. The vulnerability allows malicious local peers to exploit unverified connections. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2024-3219 Overview

CVE-2024-3219 is a race condition vulnerability in the CPython socket module affecting the pure-Python fallback implementation of socket.socketpair(). The fallback is used on platforms that do not support AF_UNIX, such as Windows. The implementation creates a local pair of sockets using AF_INET or AF_INET6 but does not verify that the returned connection originates from the intended peer. A malicious local process can win the race and connect to the listening server socket before the legitimate client, hijacking one end of the socket pair.

Critical Impact

A local attacker on Windows can interpose on a socket.socketpair() connection, enabling unauthorized read or write access to data exchanged between the two endpoints in the affected Python process.

Affected Products

  • CPython 3.5 and later on platforms without AF_UNIX support (primarily Windows)
  • Python applications on Windows relying on socket.socketpair() for inter-process or intra-process communication
  • NetApp products bundling affected CPython versions, per NetApp Security Advisory ntap-20250502-0004

Discovery Timeline

Technical Details for CVE-2024-3219

Vulnerability Analysis

The socket.socketpair() API is designed to return two already-connected sockets for local communication. On Linux and macOS, the kernel provides this primitive natively via AF_UNIX. On Windows, CPython falls back to a pure-Python implementation that simulates the behavior using TCP loopback sockets bound to a localhost address.

The fallback function creates a listening socket, initiates a connecting socket toward the listener, and accepts the incoming connection. The accepted connection is then returned to the caller as the server-side endpoint. The implementation does not validate that the accepted peer is the connecting socket it just initiated. Any local process able to connect to the listener within the timing window can be accepted instead. This issue is classified as a missing authentication weakness [CWE-306].

Root Cause

The pure-Python fallback binds the listening socket to a loopback address and calls accept() without comparing the resulting peer address and port to the address of the locally created client socket. Because the listener is reachable by any process running as any user on the same host, a local adversary that races against connect() can have its own connection accepted. The legitimate client then fails or connects to a different endpoint, but the caller is unaware that the returned server socket is connected to an attacker.

Attack Vector

Exploitation requires local code execution on the same host as the Python process. The attacker enumerates loopback listeners or predicts the ephemeral port assigned by the operating system and attempts repeated connect() calls against the temporary listener created during socketpair(). Winning the race substitutes the attacker-controlled socket for the intended peer. From this position, the attacker can read data the application writes to the pair, inject crafted data into the application, or break workflows that assume the pair is private.

No verified public exploit code is available. The patch verifies the peer address and port after accept() and rejects mismatches before returning the socket pair. See the fix in GitHub CPython Pull Request #122134 and the tracking GitHub CPython Issue #122133.

Detection Methods for CVE-2024-3219

Indicators of Compromise

  • Unexpected inbound TCP connections to short-lived loopback listeners created by python.exe or pythonw.exe processes
  • Python application logs showing protocol errors, truncated messages, or unexpected disconnects on internal socketpair() channels
  • Local processes other than the Python interpreter initiating connections to 127.0.0.1 ephemeral ports during Python process startup

Detection Strategies

  • Inventory Windows hosts running Python 3.5 or later and identify applications that call socket.socketpair() directly or indirectly through libraries such as multiprocessing, asyncio, or subprocess
  • Monitor process telemetry for non-Python processes opening loopback sockets that coincide with Python process initialization
  • Audit installed Python interpreters against the patched versions referenced in the Python Security Announce Thread

Monitoring Recommendations

  • Enable network connection telemetry on Windows endpoints and alert on loopback connections that cross process trust boundaries
  • Correlate Sysmon Event ID 3 (network connection) entries against the originating process image to detect non-interpreter processes targeting Python loopback listeners
  • Track Python runtime versions through software inventory and flag installations below the patched CPython releases

How to Mitigate CVE-2024-3219

Immediate Actions Required

  • Upgrade CPython to a patched version on all Windows hosts that run Python applications
  • Inventory third-party software, including NetApp products, that embed vulnerable CPython interpreters and apply vendor updates
  • Restrict local logon and code execution rights on Windows systems running Python services to reduce the local attacker surface

Patch Information

The Python project corrected the fallback by validating the peer of the accepted connection against the locally created client socket. Fixes were merged into multiple CPython branches across commits including 06fa244, 0b65c8b, 220e31a, and 78df104. Apply the latest 3.x maintenance release for your branch as listed in the Python Security Announce Thread.

Workarounds

  • Replace socket.socketpair() with os.pipe() or named pipes (\\.\pipe\...) for local IPC on Windows where bidirectional sockets are not required
  • Wrap socket.socketpair() calls with code that verifies getpeername() of the accepted socket matches getsockname() of the connecting socket and rejects mismatches
  • Run Python workloads on platforms with native AF_UNIX support (Linux, macOS, or Windows builds that enable AF_UNIX) where the vulnerable fallback is not used
bash
# Verify the installed Python version on Windows
python --version

# Upgrade Python using the official installer or package manager
# Example using winget:
winget upgrade --id Python.Python.3

# Confirm the patched socketpair behavior is present
python -c "import socket; a,b = socket.socketpair(); print(a.getpeername(), b.getsockname())"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne