CVE-2026-9669

high

Description

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

References

https://mail.python.org/archives/list/[email protected]/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/

https://github.com/python/cpython/pull/150600

https://github.com/python/cpython/issues/150599

https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d

https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f

https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e

https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6

http://www.openwall.com/lists/oss-security/2026/06/08/17

Details

Source: Mitre, NVD

Published: 2026-06-08

Updated: 2026-06-23

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Severity: Medium

CVSS v4

Base Score: 8.2

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00042