CVE-2026-9669

HIGH

CPython bz2.BZ2Decompressor - Stack Buffer Overflow

Title source: manual

Description

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

References (8)

Core 8

Core References

Patch patch

https://github.com/python/cpython/pull/150600

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/08/17

Vendor Advisory vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/

Issue Tracking issue-tracking

https://github.com/python/cpython/issues/150599

Patch patch

https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d

View Patch ZIP pw:eip

Scores

CVSS v4 8.2

EPSS 0.0037

EPSS Percentile 29.1%

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Details

CWE

CWE-121

Status published

Products (4)

Python Software Foundation/CPython < 3.13.14

Python Software Foundation/CPython < 3.16.0

Python Software Foundation/CPython 3.14.0 - 3.14.6

Python Software Foundation/CPython 3.15.0a1 - 3.15.0

Published Jun 08, 2026

Tracked Since Jun 09, 2026