gh-138862: fix timestamp increment after UUIDv7 counter overflow by picnixz · Pull Request #146606 · python/cpython

picnixz · 2026-03-29T17:54:37Z

Issue: UUIDv7 continues to increment timestamp after counter overflow #138862

picnixz · 2026-03-29T21:41:34Z

I'll need to add a test for multiple overflows to see that I only increment on overflow.

picnixz · 2026-04-11T12:25:32Z

@hugovk @eendebakpt Could you have a look at this? TL;DR: it shouldn't happen in practice because the counter is a randomized 41-bit integer and its max value is $2^{42}-1$ so we won't have an issue. The only possibility where this may be an issue is if the clock only goes backward for some reasons and we keep incrementing the counter for all the UUIDs being collected. Note that we can only hit the counter overflow after $2^{41}$ samples.

From a practical PoV, $2^{41}$ is honestly the limit of physical machines for attack complexities in general in terms of memory (for instance, decoding attacks are no more relevant if you need more than $2^{40}$ bits as it's more a physical limitation rather than a time limitation). So from a security PoV, it does make sense to fix this edge case.

So, for a realistic attack, (or issue) one needs one of the following situations to happen:

clock only goes backward or we are never able to catch up the updated timestamps, and more than $2^{41}$ samples are collected to hit the first counter overflow; after the first counter overflow, the current code would update the timestamp more and more in the future, and we would never be able to catch it up.
you need to generate $2^{41}$ UUIDs within the same millisecond. Highly improbable (we can generate $10^6$ UUIDs, but not $10^{12}$).

eendebakpt · 2026-04-11T20:39:58Z

+            # after a counter overflow. We follow the RFC for in the former
+            # case. In the latter case, we re-use the already advanced
+            # timestamp (it was updated when we detected the overflow).
+            if _last_counter_v7_overflow:


The first case from the if-else is the "latter" case in the comments above. Maybe swap the order in the comments.

Oh right :') I changed so much this block that I forgot to update the comment. Thanks!

eendebakpt · 2026-04-11T20:52:25Z

    nanoseconds = time.time_ns()
    timestamp_ms = nanoseconds // 1_000_000

    if _last_timestamp_v7 is None or timestamp_ms > _last_timestamp_v7:


Side note: if we initialize _last_timestamp_v7 to a large negative value (e.g. -2**64), then we can remove the last_timestamp_v7 is None check.

Or just -1 and it's ok. You won't have a negative timestamp I think.

You could (according to Claude when setting the system time to before 1970). But since the timestamp is generated via a int64_t the value -2**64 should be safe.

eendebakpt · 2026-04-11T21:16:37Z

@picnixz I agree with your analysis. Whether or not to merge this PR (it fixes the bug) or leave as is (this will not happen in practice) I am 50/50 on.

picnixz · 2026-04-11T21:48:37Z

I don't think we are loosing much speed. We are only adding one comparison every time we are within the same millisecond. But this adds a bit complexity that we will need to replicate in C though not necessarily hard to do. But still, it's a bit annoying I think. I can also document the implementation more.

pythongh-138862: fix timestamp increment after UUIDv7 counter overflow

b3fa2d0

bedevere-app bot mentioned this pull request Mar 29, 2026

UUIDv7 continues to increment timestamp after counter overflow #138862

Open

bedevere-app bot added the awaiting core review label Mar 29, 2026

picnixz added the needs backport to 3.14 bugs and security fixes label Mar 29, 2026