CVE-2012-2135: UTF-16 decoder

Vulnerability in the UTF-16 decoder after error handling.

  • Disclosure date: 2012-04-14

Fixed In

Python issue

CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling.

  • Python issue: bpo-14579
  • Creation date: 2012-04-14
  • Reporter: Serhiy Storchaka


The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.


Timeline using the disclosure date 2012-04-14 as reference: