VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 31, 2020· Updated Aug 4, 2024

CVE-2020-35917

CVE-2020-35917

Description

Reference counting error in PyO3's From<Py> leads to use-after-free, allowing memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reference counting error in PyO3's From<Py> leads to use-after-free, allowing memory corruption.

An issue was discovered in the PyO3 crate before version 0.12.4 for Rust. The vulnerability is a reference-counting error in the From<Py> implementation, which leads to a use-after-free condition when converting a Py to a PyObject [1][3]. The bug causes an extra reference decrement, freeing memory that may still be in use.

Exploitation requires local access with low privileges and no user interaction, as per the CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [2]. An attacker could trigger the issue through any code path that performs the vulnerable conversion, potentially in a Python extension module built with PyO3. The attack surface includes any application that handles Python objects via the PyO3 bindings [1].

The impact is primarily on system availability, as the use-after-free can cause a crash (denial of service). There is no impact on confidentiality or integrity according to the CVSS score [2]. The RustSec advisory lists the CVSS score as 5.5 (MEDIUM) [3].

The vulnerability was patched in PyO3 version 0.12.4 via commit 8f81f59 [4]. Versions 0.12.0 through 0.12.3 are affected, while versions before 0.12.0 are not vulnerable. Users are advised to upgrade to the latest patched version to mitigate the risk [3].

References
  1. GitHub - PyO3/pyo3: Rust bindings for the Python interpreter
  2. NVD - CVE-2020-35917
  3. Reference counting error in `From<Py<T>>` › RustSec Advisory Database
  4. py: fix reference count bug in From(Py<T>) for PyObject · PyO3/pyo3@8f81f59

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pyo3crates.io
>= 0.12.0, < 0.12.40.12.4

Affected products

2
  • Rust/pyo3description
  • ghsa-coords
    pkg:cargo/pyo3
    Range: >= 0.12.0, < 0.12.4

Patches

1
8f81f595dd77

py: fix reference count bug in From(Py<T>) for PyObject

https://github.com/PyO3/pyo3David HewittNov 28, 2020via ghsa
commit
1 file changed · +12 2
  • src/instance.rs+12 2 modified
    @@ -473,9 +473,9 @@ impl<T> std::convert::From<Py<T>> for PyObject
 where
     T: AsRef<PyAny>,
 {
+    #[inline]
     fn from(other: Py<T>) -> Self {
-        let Py(ptr, _) = other;
-        Py(ptr, PhantomData)
+        unsafe { Self::from_non_null(other.into_non_null()) }
     }
 }
 
@@ -626,4 +626,14 @@ mod test {
         };
         assert_eq!(unsafe { ffi::Py_REFCNT(dict.as_ptr()) }, 1);
     }
+
+    #[test]
+    fn pyobject_from_py() {
+        Python::with_gil(|py| {
+            let dict: Py<PyDict> = PyDict::new(py).into();
+            let cnt = dict.get_refcnt(py);
+            let p: PyObject = dict.into();
+            assert_eq!(p.get_refcnt(py), cnt);
+        });
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.