Vulnerability in the utf-16 decoder after error handling


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Vulnerability in the UTF-16 decoder after error handling.


  • Disclosure date: 2012-04-14

Fixed In

Python issue

CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling.

  • Python issue: bpo-14579
  • Creation date: 2012-04-14
  • Reporter: Serhiy Storchaka


The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.


Timeline using the disclosure date 2012-04-14 as reference: