A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
Conclusion & alert: CVE-2024-0397 is rated Moderate Risk (48.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.80%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.40% | 0.80% | +0.41% |
| 2 | 2026-05-29 | 0.33% | 0.40% | +0.07% |
| 3 | 2026-05-24 | — | 0.33% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.4 | 3.1 | HIGH |
|
2.2 | 5.2 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2024-0397 unimportant priority: Debian including 5 source packages (pypy3, python2.7, python3.11, python3.13, python3.9), 11 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 8, open 3. | https://security-tracker.debian.org/tracker/CVE-2024-0397 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2024-0397 |
suse
|
medium | CVE-2024-0397 severity moderate: SUSE including 519 source package names (0.0.17-1.1:libpython3_11-1_0-3.11.9-150600.3.3.1, 0.0.17-1.1:libpython3_6m1_0-3.6.15-150300.10.65.1, …), 2223 product×package rows across 425 product lines (Container bci/bci-base-fips, Container bci/bci-sle15-kernel-module-devel, … (425 product lines)): Fixed 1838, Known Affected 225, Known Not Affected 160. | https://www.suse.com/security/cve/CVE-2024-0397/ |
ubuntu
|
medium | CVE-2024-0397 medium priority: Ubuntu including 10 source packages (python2.7, python3.10, …), 89 status rows across 11 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 60, needs-triage 19, not-affected 4, released 4, ignored 2. | https://ubuntu.com/security/CVE-2024-0397 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||