Updated: 2025-12-28 04:13:28.080317
Description:
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | HIGH | 7.5 |
| CVSS Version 3.x | CRITICAL | 9.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.9 | 9.8 | CRITICAL | Not Vulnerable | 2026-02-02 14:29:44 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Alpine Linux 3.22 | python | 3.7 | 9.8 | CRITICAL | Already Fixed | 2026-02-16 14:39:50 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Alpine Linux 3.22 | python | 3.8 | 9.8 | CRITICAL | Not Vulnerable | 2026-02-07 04:07:30 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Alpine Linux 3.22 | python | 3.6 | 9.8 | CRITICAL | Not Vulnerable | 2026-01-27 16:42:45 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Debian 10 | python | 3.6 | 9.8 | CRITICAL | Already Fixed | 2025-09-05 09:15:44 | ||
| Debian 11 | python | 3.6 | 9.8 | CRITICAL | Already Fixed | 2025-09-05 09:15:44 | ||
| Debian 12 | python | 3.9 | 9.8 | CRITICAL | Not Vulnerable | 2025-12-04 16:07:00 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Debian 12 | python | 3.7 | 9.8 | CRITICAL | Already Fixed | 2025-11-10 21:41:33 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Debian 12 | python | 3.6 | 9.8 | CRITICAL | Already Fixed | 2025-09-05 09:15:43 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... | |
| Debian 12 | python | 3.8 | 9.8 | CRITICAL | Not Vulnerable | 2025-11-11 18:59:57 | Not affected: CVE-2021-3177 targets a buffer overflow in ctypes’ PyCArg_repr present only in Pytho... |