Skip to content

_interpqueuesmodule.c: Use-after-free from dangling items.last pointer #146427

New issue
New issue
Open
Open
_interpqueuesmodule.c: Use-after-free from dangling items.last pointer#146427
Labels
extension-modulesC modules in the Modules dirtopic-subinterpreterstype-crashA hard crash of the interpreter, possibly with a core dump
@aisk

Description

@aisk
aisk
opened on Mar 25, 2026

Crash report

What happened?

Summary

_queue_clear_interpreter in Modules/_interpqueuesmodule.c (lines 739-774) never updates queue->items.last when removing the tail item. After the item is freed, items.last is a dangling pointer. Next queue operation writes to freed memory.

I have a working patch on this issue, will sending the PR later.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    extension-modulesC modules in the Modules dirtopic-subinterpreterstype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    Subinterpreters

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions