Decompression Error in Python's bz2 Module Affects Data Integrity
CVE-2026-9669

8.2HIGH

What is CVE-2026-9669?

A serious vulnerability has been identified within the bz2 module of Python, where bz2.BZ2Decompressor objects are susceptible to reuse following a decompression error. When an application captures the resulting OSError and retries using the same decompressor instance, it may allow crafted input to exploit an invalid internal state. This exploitation could lead to out-of-bounds writes to a stack buffer, potentially crashing the application when handling untrusted data.

Affected Version(s)

CPython 0 < 3.13.14

CPython 3.14.0 < 3.14.6

CPython 3.15.0a1 < 3.15.0b3

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bitshift (https://github.com/TheShiftedBit)
Emma Smith (https://github.com/emmatyping)
Stan Ulbrych (https://github.com/StanFromIreland)
Serhiy Storchaka (https://github.com/serhiy-storchaka)
.