Skip to content

UAF in Element.findtext() when tag __eq__ mutates parent #148735

Open
Open
UAF in Element.findtext() when tag __eq__ mutates parent#148735
Assignees
StanFromIreland
Labels
extension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump
@StanFromIreland

Description

@StanFromIreland
StanFromIreland
opened on Apr 18, 2026

Crash report

What happened?

Similar to #126037.

from xml.etree.ElementTree import Element, SubElement

class T(str):
    def __eq__(self, other):
        root.clear()
        return True

root = Element('a')
SubElement(root, T('a')).text = str(object())
repr(root.findtext('a'))

Under UBSan results in:

Objects/object.c:766:19: runtime error: member access within misaligned address 0xdddddddddddddddd for type 'struct PyTypeObject', which requires 8 byte alignment
0xdddddddddddddddd: note: pointer points here
<memory cannot be printed>
Segmentation fault         (core dumped)

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

extension-modulesC modules in the Modules dirtopic-XMLtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions