python
diff --git a/‎Lib/test/test_dict.py
Lines changed: 18 additions & 0 deletions b/‎Lib/test/test_dict.py
Lines changed: 18 additions & 0 deletions
diff --git a/‎Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst
Lines changed: 1 addition & 0 deletions b/‎Misc/NEWS.d/next/Core_and_Builtins/2024-08-17-17-26-25.gh-issue-123083.9xWLJ-.rst
Lines changed: 1 addition & 0 deletions
diff --git a/‎Python/bytecodes.c
Lines changed: 1 addition & 1 deletion b/‎Python/bytecodes.c
Lines changed: 1 addition & 1 deletion
diff --git a/‎Python/executor_cases.c.h
Lines changed: 1 addition & 1 deletion b/‎Python/executor_cases.c.h
Lines changed: 1 addition & 1 deletion
diff --git a/‎Python/generated_cases.c.h
Lines changed: 1 addition & 1 deletion b/‎Python/generated_cases.c.h
Lines changed: 1 addition & 1 deletion
@@ -1476,6 +1476,24 @@ def test_dict_items_result_gc_reversed(self):
         gc.collect()
         self.assertTrue(gc.is_tracked(next(it)))
 
+    def test_store_evilattr(self):
+        class EvilAttr:
+            def __init__(self, d):
+                self.d = d
+
+            def __del__(self):
+                if 'attr' in self.d:
+                    del self.d['attr']
+                gc.collect()
+
+        class Obj:
+            pass
+
+        obj = Obj()
+        obj.__dict__ = {}
+        for _ in range(10):
+            obj.attr = EvilAttr(obj.__dict__)
+
     def test_str_nonstr(self):
         # cpython uses a different lookup function if the dict only contains
         # `str` keys. Make sure the unoptimized path is used when a non-`str`
 
@@ -0,0 +1 @@
+Fix STORE_ATTR_WITH_HINT has potential use-after-free.
@@ -2234,12 +2234,12 @@ dummy_func(
             PyDict_WatchEvent event = old_value == NULL ? PyDict_EVENT_ADDED : PyDict_EVENT_MODIFIED;
             new_version = _PyDict_NotifyEvent(tstate->interp, event, dict, name, PyStackRef_AsPyObjectBorrow(value));
             ep->me_value = PyStackRef_AsPyObjectSteal(value);
-            Py_XDECREF(old_value);
             STAT_INC(STORE_ATTR, hit);
             /* Ensure dict is GC tracked if it needs to be */
             if (!_PyObject_GC_IS_TRACKED(dict) && _PyObject_GC_MAY_BE_TRACKED(PyStackRef_AsPyObjectBorrow(value))) {
                 _PyObject_GC_TRACK(dict);
             }
+            Py_XDECREF(old_value);
             /* PEP 509 */
             dict->ma_version_tag = new_version;
             PyStackRef_CLOSE(owner);
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix STORE_ATTR_WITH_HINT has potential use-after-free.`