bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
CVE-2026-9669

8.2HIGH

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 8 June 2026

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2026-9669?

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

Affected Version(s)

CPython 0 < 3.16.0

References

https://github.com/python/cpython/pull/150600

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

https://github.com/python/cpython/issues/150599

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 27, 2026

Credit

Bitshift (https://github.com/TheShiftedBit)

Emma Smith (https://github.com/emmatyping)

Stan Ulbrych (https://github.com/StanFromIreland)

Serhiy Storchaka (https://github.com/serhiy-storchaka)

CVE-2026-9669 Data

.