22 free-threading race conditions
Bug report
Changes
2026-05-13: Filed issue.
2026-06-08: Added new findings (16) and (86).
Bug description
I found 22 free-threading race conditions during a partial Xint Code scan of cpython. These only apply to the free-threaded build, and were all found and tested on commit 0534774 built with ./configure --disable-gil --enable-asan on an M3 Mac.
I'm attaching a zip file with detailed writeups of each, as well as reproduction cases for 15 of the 22 issues. I don't have scripts reproducing the findings numbered 21, 36, 82, 94, 106, 115, or 124. Race conditions can be difficult to trigger, and even the scripts I provided are trying to win tight races and may not always work.
I know this is a lot. @colesbury suggested I create a combined issue to make the triage discussion easier.
Let me know if you have any questions or concerns. The issues were found and written up by an automated system, but I have put additional work into the validation and reporting. I do want to be respectful of everyone's time while helping to make Python better.
Writeups
2026-05-13: Initial writeups and test scripts: cpython-ft.zip
2026-06-08: New writeups and test scripts for (16) and (86): cpython-ft-2026-06-08.zip
Many of the scripts are expected to crash, however some of them only produce exceptions or corrupted output. You should be able to run any of the scripts with PYTHON_GIL=1 set in your environment if you want to see a baseline without the race condition.
Finding List
- (16) Cross-interpreter syslog race
- (17) Unlocked
__init__races with PRNG state access inModules/_randommodule.c - (21) Racy EVP_MD cache overwrite leaks references in
Modules/_hashopenssl.c - (36) Borrowed type lookup races to use-after-free in
Objects/typeobject.c - (49) SNI callback callable race use-after-free in
Modules/_ssl.c - (61) Racy weakref head load before incref in
Objects/typeobject.c - (62) Concurrent kwargs growth causes heap overwrite in
Objects/call.c - (69) Unsynchronized extra pointer dereference in len in
Modules/_elementtree.c - (82) Non-atomic list slot memmove in shared list delete in
Objects/listobject.c - (84) Iterator path bypasses buffered object lock in
Modules/_io/bufferedio.c - (86) Cross-interpreter XID registry race
- (87) Unsynchronized Element.text borrowed-pointer race in
Modules/_elementtree.c - (89) Unsynchronized dict iteration causes borrowed-ref UAF in
Modules/_pickle.c - (91) Racy list item borrow causes UAF in
Modules/_pickle.c - (94) Async-exception setter races thread-state free in
Python/pystate.c - (96) Racy GC callback list iteration in
Python/gc_free_threading.c - (106) Immediate decref races lock-free reader in
Modules/_ctypes/_ctypes.c - (108) Borrowed dict used after lock release in
Objects/dictobject.c - (115) Split clear frees keys without QSBR in
Objects/dictobject.c - (124) Stale keys race in attribute hint fastpath in
Python/bytecodes.c - (125 wontfix) Struct reinit races with pack/unpack in
Modules/_struct.c - (128) Borrowed list item raced before incref in
Objects/bytesobject.c - (129) Reentrant
__index__causes released-buffer dereference inObjects/memoryobject.c - (132) Non-atomic exports race in memoryview.hex in
Objects/memoryobject.c
CPython versions tested on:
3.14
Operating systems tested on:
macOS
Linked PRs
- gh-149816: Fix a RC in
_random.Random.__init__method #149824 - gh-149816: Fix race condition in
memoryviewwith free-threading #149858 - [3.15] gh-149816: Fix race condition in
memoryviewwith free-threading (GH-149858) #149875 - [3.14] gh-149816: Fix race condition in
memoryviewwith free-threading (GH-149858) #149876 - [3.13] gh-149816: Fix race condition in
memoryviewwith free-threading (GH-149858) #149877 - gh-149816: Fix a race condition in
_PyBytes_FromListwith free-threading #149909 - [3.15] gh-149816: Fix a race condition in
_PyBytes_FromListwith free-threading (GH-149909) #149911 - [3.14] gh-149816: Fix a race condition in
_PyBytes_FromListwith free-threading (GH-149909) #149912 - gh-149816: fix
dict.clear()race on split-table dict with non-embedded values #149914 - gh-149816: Fix race conditions in
Modules/_elementtree.cwith free-threaded #149918 - gh-149816: fix thread safety of deletion of list slice #149936
- [3.15] gh-149816: Fix a RC in
_random.Random.__init__method (GH-149824) #149997 - [3.14] gh-149816: Fix a RC in
_random.Random.__init__method (GH-149824) #149998 - [3.15] gh-149816: fix
dict.clear()race on split-table dict with non-embedded values (GH-149914) #150000 - [3.15] gh-149816: fix thread safety of deletion of list slice (GH-149936) #150003
- [3.14] gh-149816: fix thread safety of deletion of list slice (GH-149936) #150004
- gh-149816: Fix UAF in Modules/_pickle.c #150024
- gh-149816: #96 Fix a race condition in invoke_gc_callback with free threading #150029
- gh-149816: Fix SNI callback callable race #150018
- [3.15] gh-149816: Fix SNI callback callable race (GH-150018) #150099
- [3.14] gh-149816: Fix SNI callback callable race (GH-150018) #150100
- gh-149816: fix concurrent
kwargsgrowth in_thread.start_new_thread#150168 - gh-149816: Fix race in subtype_getweakref in free-threading build #150247
- gh-149816: add missing critical section on self in buffered_iternext #150295
- [3.15] gh-149816: add missing critical section on self in buffered_iternext (GH-150295) #150305
- [3.14] gh-149816: add missing critical section on self in buffered_iternext (GH-150295) #150306