GHSA-chgr-c6px-7xpp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-chgr-c6px-7xpp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-chgr-c6px-7xpp/GHSA-chgr-c6px-7xpp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-chgr-c6px-7xpp
- Aliases
- Published
- 2026-06-12T20:09:05Z
- Modified
- 2026-06-13T06:41:26.712739704Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures
- Details
-
PyCFunction::new_closure(and the temporarynew_closure_boundcomplement in the 0.21–0.22 series) required the supplied closure to beSend + 'staticbut notSync. The resultingPyCFunctionis a Python callable that can be invoked from any Python thread, which means the closure may be called concurrently from multiple threads, and needs aSyncbound to prevent possible data races.The problem exists under all Python versions but is particularly vulnerable under the newer free-threaded Python variant, which do not have serial execution imposed by the Global Interpreter Lock. Under releases protected by the GIL, the ability to "detach" from the Python interpreter temporarily inside the closure (e.g. by
Python::detach) makes it possible for interleaved and/or concurrent execution of various portions of the closure.PyO3 0.29.0 added a
Syncbound to close this thread-safety bug. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-06-12T20:09:05Z", "cwe_ids": [ "CWE-362" ], "nvd_published_at": null }- References
Affected packages
crates.io / pyo3
Package
- Name
- pyo3
- View open source insights on deps.dev
- Purl
- pkg:cargo/pyo3