Improper File Handling in CPython Affecting .pyc Files
CVE-2026-2297

5.7MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
4 March 2026

What is CVE-2026-2297?

The vulnerability arises from the improper handling of legacy .pyc files within CPython's import hook. Specifically, the SourcelessFileLoader does not utilize the io.open_code() function in the FileLoader base class, which leads to the failure of sys.audit handlers that are designed to monitor this audit event. This oversight could potentially allow certain actions to occur without appropriate logging or oversight, raising concerns related to the integrity of all imported modules.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/issues/145506
issue-tracking
https://github.com/python/cpython/pull/145507
patch
https://github.com/python/cpython/commit/482d6f8bdba9da37...
patch

CVSS V4

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.