PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures

PyCFunction::newclosure and the temporary newclosurebound complement in the 0.21–0.22 series required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrent...

GHSA-36HH-V3QG-5JQ4 PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

PyO3 0.24.0 added optimized implementations of Iterator::nth and DoubleEndedIterator::nthback for the BoundListIterator and BoundTupleIterator types. These implementations computed the target index using unchecked usize addition index + n before bounds-checking against the sequence length, then...

[SECURITY] Fedora 42 Update: maturin-1.9.6-4.fc42

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 43 Update: maturin-1.9.6-5.fc43

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 44 Update: maturin-1.9.6-5.fc44

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 43 Update: rust-pythonize-0.27.0-1.fc43

Serde Serializer & Deserializer from Rust Python, backed by PyO3...

[SECURITY] Fedora 42 Update: maturin-1.9.6-3.fc42

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 43 Update: maturin-1.9.6-4.fc43

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

EUVD-2021-1519

Malware in sbrugna...

EUVD-2024-2969

Malicious code in bioql PyPI...

[SECURITY] Fedora 43 Update: maturin-1.8.7-2.fc43

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 41 Update: maturin-1.8.7-2.fc41

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

[SECURITY] Fedora 42 Update: maturin-1.8.7-2.fc42

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python packages...

Linux Distros Unpatched Vulnerability : CVE-2024-9979

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak...

CVE-2020-35917

An issue was discovered in the pyo3 crate before 0.12.4 for Rust. There is a reference-counting error and use-after-free in From...

RuStream (>=0.0.1 <=0.0.2), abd-clam (>=0.23.1 <=0.25.3) +245 more potentially affected by unknown CVE via pyo3 (>=0.1.0 <=0.23.5)

pyo3 CARGO version =0.1.0, =0.0.1, =0.23.1, =0.12.2, =0.2.1, =48.0.0, =0.1.0, =0.3.3, =0.0.1-a1, =0.0.1-a1, =0.1.0, =0.2.37, =1.0.5-beta.1 - bilbyrust =0.1.0 - bitbazaar =0.0.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-PPH8-GCV7-4QJ5...

GHSA-PPH8-GCV7-4QJ5 PyO3 Risk of buffer overflow in `PyString::from_object`

PyString::fromobject took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read by raising a Python exception...

PyO3 Risk of buffer overflow in `PyString::from_object`

PyString::fromobject took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read by raising a Python exception...

RuStream (>=0.0.1 <=0.0.2), RustPyNet (>=0.1.0 <=0.1.3) +593 more potentially affected by unknown CVE via pyo3 (>=0.10.1 <=0.23.5)

pyo3 CARGO version =0.10.1, =0.0.1, =0.1.0, =0.21.8, =0.8.0, =0.12.0, =0.2.1, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.0.14 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0020...

RUSTSEC-2025-0020 Risk of buffer overflow in `PyString::from_object`

PyString::fromobject took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read by raising a Python exception...