Skip to main content

Cpython CVE-2026-6100

| EUVDEUVD-2026-22028 CRITICAL
Use After Free (CWE-416)
2026-04-13 PSF
9.1
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 17, 2026 - 15:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:31 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 18:00 euvd
EUVD-2026-22028
Analysis Generated
Apr 13, 2026 - 18:00 vuln.today
Patch released
Apr 13, 2026 - 18:00 nvd
Patch available
CVE Published
Apr 13, 2026 - 17:15 nvd
CRITICAL 9.1

DescriptionCVE.org

Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.

The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

AnalysisAI

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances are reused after MemoryError exceptions under memory pressure. Affects all CPython versions before 3.15.0. Exploitation requires network-accessible Python service that decompresses attacker-controlled data, operates under memory constraints, and reuses decompressor objects across multiple operations-a narrow but realistic scenario in containerized environments or resource-limited systems. No active exploitation confirmed (EPSS 0.05%, not in CISA KEV). Patch available via CPython 3.15.0.

Technical ContextAI

This is a use-after-free (CWE-416) in CPython's C implementation of decompression libraries. When lzma.LZMADecompressor, bz2.BZ2Decompressor, or gzip.GzipFile encounter memory allocation failures during decompression operations, they raise MemoryError but fail to clean up internal pointers to freed memory. If the application catches this exception and reuses the same decompressor instance for subsequent operations, the dangling pointer can be exploited for arbitrary memory corruption. The vulnerability exists in the stateful decompressor classes but NOT in one-shot helper functions (lzma.decompress(), bz2.decompress(), gzip.decompress(), zlib.decompress()) which create fresh instances per call. Affects CPython versions prior to 3.15.0 across all platforms. The CVSS 4.0 vector indicates network attack vector with high attack complexity (AC:H) and present attack technique (AT:P), reflecting the narrow exploitation window requiring memory pressure conditions. The fix (commits 6a5f79c, 8fc66ae, c3cf71c) adds cleanup logic to null out dangling pointers in error paths.

RemediationAI

Upgrade to CPython 3.15.0 or later, which includes fixes in commits 6a5f79c8d7, 8fc66aef6d, c3cf71c336, 47128e64f9, and e20c6c9667. For environments unable to upgrade immediately, implement these compensating controls with noted trade-offs: (1) Replace stateful decompressor instances with one-shot helper functions like lzma.decompress()-eliminates vulnerability but may increase memory overhead for large datasets by creating new instances per operation. (2) Implement strict error handling that terminates decompression workflows on MemoryError rather than catching and continuing-prevents reuse but reduces service resilience under load. (3) Deploy memory limits and monitoring to prevent MemoryError conditions entirely-reduces attack surface but may cause legitimate operations to fail. (4) For containerized deployments, allocate sufficient memory overhead (recommendation: 150% of expected peak decompression working set) to avoid memory pressure scenarios-increases resource costs. None of these mitigations provide complete protection; upgrade remains the definitive solution. Verify fix deployment via python --version and review application code for decompressor reuse patterns.

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-6100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy