VYPR
Medium severity6.5OSV Advisory· Published Jun 27, 2024· Updated Jun 17, 2026

CVE-2024-5642

CVE-2024-5642

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

134

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.