CVE-2019-18874: Double Free in psutil
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30721%
CWE
Published
3/12/2020
Updated
10/21/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
psutil | pip | <= 5.6.5 | 5.6.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from using Py_DECREF instead of Py_CLEAR in loops that create Python objects. The commit 7d512c8 shows systematic replacement of Py_DECREF with Py_CLEAR across multiple functions in platform-specific C files. These functions handle system data conversion in while/for loops, and the original Py_DECREF usage left variables non-NULL after decrementing refcounts. This created a scenario where subsequent iterations/error handling could trigger double-free conditions if object creation failed after the first iteration. The pattern is consistent across all patched functions, with high confidence from the explicit fix in the security commit.