{"id":"CVE-2021-3177","details":"Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.","aliases":["BIT-libpython-2021-3177","BIT-python-2021-3177","BIT-python-min-2021-3177","PSF-2021-3"],"modified":"2026-04-16T00:01:43.037836501Z","published":"2021-01-19T06:15:12.967Z","related":["ALSA-2021:1761","ALSA-2021:1879","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2021:0355-1","SUSE-SU-2021:0428-1","SUSE-SU-2021:0432-1","SUSE-SU-2021:0529-1","openSUSE-SU-2021:0270-1","openSUSE-SU-2021:0331-1","openSUSE-SU-2024:11202-1","openSUSE-SU-2024:11283-1","openSUSE-SU-2024:11284-1","openSUSE-SU-2024:11285-1","openSUSE-SU-2024:11286-1","openSUSE-SU-2024:12089-1","openSUSE-SU-2024:12910-1","openSUSE-SU-2024:14109-1","openSUSE-SU-2024:14434-1","openSUSE-SU-2025:15713-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"22.2.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"12.0.0.3.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"12.0.0.3.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"12.4.0.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.8"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.0"}]},{"cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"32"}]},{"cpe":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"33"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html"},{"type":"ADVISORY","url":"https://news.ycombinator.com/item?id=26185005"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-18"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210226-0003/"},{"type":"FIX","url":"https://bugs.python.org/issue42938"},{"type":"FIX","url":"https://github.com/python/cpython/pull/24239"},{"type":"FIX","url":"https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"5c4568a05a0a62b5947c55f68f9f2ecfb90a4f12"},{"last_affected":"c0a9afe2ac1820409e6173bd1893ebee2cf50270"},{"introduced":"1bf9cc509326bc42cd8cb1650eb9bf64550d817e"},{"last_affected":"13c94747c74437e594b7fc242ff7da668e81887c"},{"introduced":"fa919fdf2583bdfead1df00e842f24f30b2a34bf"},{"last_affected":"6503f05dd59e26a9986bdea097b3da9b3546f45b"},{"introduced":"9cf6752276e6fcfd0c23fdb064ad27f448aaaf75"},{"last_affected":"1e5d33e9b9b8631b36f061103a30208b206fd03a"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.6.0"},{"last_affected":"3.6.12"},{"introduced":"3.7.0"},{"last_affected":"3.7.9"},{"introduced":"3.8.0"},{"last_affected":"3.8.7"},{"introduced":"3.9.0"},{"last_affected":"3.9.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}