CVE-2018-20406

Updated: 2025-08-20 00:41:16.644275

Description:

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5.0
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 python 3.7 7.5 HIGH Not Vulnerable 2026-02-16 14:41:15
Alpine Linux 3.22 python 3.6 7.5 HIGH Already Fixed 2026-01-27 16:43:49
Debian 10 python 3.6 7.5 HIGH Already Fixed 2025-09-05 09:17:28
Debian 11 python 3.6 7.5 HIGH Already Fixed 2025-09-05 09:17:28
Debian 12 python 3.7 7.5 HIGH Not Vulnerable 2025-11-12 16:13:18 Not vulnerable: CVE-2018-20406 affects CPython’s _pickle module only in releases prior to 3.7.1. V...
Debian 12 python 3.6 7.5 HIGH Already Fixed 2025-09-05 09:17:27 Not vulnerable: CVE-2018-20406 affects CPython’s _pickle module only in releases prior to 3.7.1. V...
Debian 13 python 3.6 7.5 HIGH Already Fixed 2025-09-29 23:27:17
Debian 13 python 3.7 7.5 HIGH Not Vulnerable 2025-11-12 16:13:18
EL 10 python 3.6 7.5 HIGH Already Fixed 2025-10-23 12:33:57
EL 7 python 3.6 7.5 HIGH Already Fixed 2025-07-16 01:30:35
Total: 17