Skip to content

Buffer Overflow Vulnerability in _Py_wreadlink Function #136062

New issue
New issue
Closed as not planned
Closed as not planned
Buffer Overflow Vulnerability in _Py_wreadlink Function#136062
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)pendingThe issue will be closed if no feedback is providedtype-bugAn unexpected behavior, bug, or error
@akshat62

Description

@akshat62
akshat62
opened on Jun 28, 2025

Bug report

Bug description:

Discovered a buffer overflow vulnerability in the _Py_wreadlink function in Python's core codebase. This function, which reads the value of a symbolic link, fails to properly null-terminate the output buffer in certain edge cases, potentially leading to buffer overruns.

The function uses wcsncpy to copy a wide character string but doesn't guarantee null-termination:

wcsncpy(buf, wbuf, buflen);

Reproduction

The issue can be reproduced in any scenario where _Py_wreadlink is called with a symbolic link whose content length is exactly one less than the provided buffer size.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)pendingThe issue will be closed if no feedback is providedtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions