CVE-2026-9669 | THREATINT

Description

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

PUBLISHED Reserved 2026-05-27 | Published 2026-06-08 | Updated 2026-06-08 | Assigner PSF

HIGH: 8.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-121 Stack-based buffer overflow

Product status

Default status

unaffected

Any version before 3.16.0

affected

Credits

Bitshift (https://github.com/TheShiftedBit) reporter

Emma Smith (https://github.com/emmatyping) coordinator

Stan Ulbrych (https://github.com/StanFromIreland) remediation developer

Serhiy Storchaka (https://github.com/serhiy-storchaka) remediation reviewer

References

www.openwall.com/lists/oss-security/2026/06/08/17

github.com/python/cpython/pull/150600 patch

mail.python.org/.../thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/ vendor-advisory

github.com/python/cpython/issues/150599 issue-tracking

cve.org (CVE-2026-9669)

nvd.nist.gov (CVE-2026-9669)

Download JSON

help @ threatint.eu