Use-After-Free Vulnerability in Python's Decompression Libraries
CVE-2026-6100

9.1CRITICAL

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
13 April 2026

What is CVE-2026-6100?

A use-after-free (UAF) vulnerability exists within Python's decompression libraries: lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile. This vulnerability can be triggered when a decompressor instance is reused following a MemoryError during decompression, particularly under conditions of memory pressure. In scenarios where decompressor instances are correctly utilized via helper functions for single-use decompression, such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress(), the vulnerability is mitigated as new instances are employed for each call. To safeguard applications, it is essential for developers to avoid reusing decompressor instances after an error condition.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/148396
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/issues/148395
issue-tracking

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ryan Hileman
Stan Ulbrych
Seth Larson
Stan Ulbrych
Ryan Hileman
.