Skip to main content

CPython bz2 module CVE-2026-9669

| EUVDEUVD-2026-35202 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-08 PSF GHSA-8jvr-397x-xqh9
8.2
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 09, 2026 - 01:20 vuln.today
Analysis Generated
Jun 09, 2026 - 01:20 vuln.today
CVSS changed
Jun 08, 2026 - 23:22 NVD
8.2 (HIGH)
CVE Published
Jun 08, 2026 - 22:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

AnalysisAI

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.

Technical ContextAI

The vulnerability lives in Modules/_bz2module.c in CPython's wrapper around libbz2. When BZ2_bzDecompress() returns an error code, the wrapper previously raised OSError but left the underlying bz_stream in a state that libbz2 considers invalid for further calls. If a Python caller then invokes decompress() again on the same BZ2Decompressor instance, libbz2 re-enters its decompression state machine from a corrupted offset, producing out-of-bounds writes into a stack-allocated buffer used by the C extension - the textbook CWE-121 stack-based buffer overflow pattern. The fix (PR #150600) records the bzerror code on the decompressor and raises ValueError 'Decompressor is unusable after a previous error' on any subsequent call, preventing the second entry into BZ2_bzDecompress(). Affected CPE is cpe:2.3:a:python_software_foundation:cpython covering all versions prior to the patched releases.

RemediationAI

Upgrade CPython to the patched release identified in the PSF security-announce advisory at https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/, which incorporates PR https://github.com/python/cpython/pull/150600; the upstream fix is confirmed in the cpython repository but exact tagged release versions should be taken from that advisory rather than inferred. As a code-level workaround if interpreter upgrade is blocked, modify application code so that BZ2Decompressor instances are discarded and re-instantiated after any OSError from decompress() rather than retried, which fully eliminates the unsafe reuse path at the cost of forcing callers to restart any in-progress stream. As a deployment compensating control, reject or quarantine untrusted bzip2 input at the boundary (size and source filtering on uploads, archives, and HTTP bodies) until the runtime is patched; the trade-off is reduced functionality for legitimate bzip2 uploads.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

CVE-2026-9669 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy