CVE-2026-6100
Use-After-Free in Python Decompressors on MemoryError
Publication date: 2026-04-13
Last updated on: 2026-04-14
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | * |
| python | lzma | * |
| python | bz2 | * |
| python | gzip | * |
| python | zlib | * |
| python | cpython | From 3.10 (inc) to 3.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6100 is a critical use-after-free (UAF) vulnerability in Python's decompression modules for LZMA, BZ2, and gzip. It occurs when a decompressor instance is reused after a MemoryError is raised due to a failed memory allocation during decompression, typically under memory pressure. In this situation, a dangling pointer remains inside the decompressor object, which can lead to unsafe memory access or undefined behavior.
This vulnerability only affects programs that reuse decompressor instances across multiple decompression calls after such an error. One-shot decompression helper functions that create new decompressor instances per call are not affected. The fix involves clearing the dangling input pointer in the error handling path to prevent use-after-free conditions.
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free conditions where the program accesses memory that has already been freed. This can cause undefined behavior, including crashes, memory corruption, or potential security risks such as arbitrary code execution or information disclosure.
The impact is specifically relevant if your application reuses decompressor instances after a MemoryError during decompression. Under memory pressure, this can cause the decompressor to reference invalid memory, potentially leading to exploitation or instability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs specifically when Python decompressor instances (lzma.LZMADecompressor, bz2.BZ2Decompressor, gzip.GzipFile) are re-used after a MemoryError is raised during decompression under memory pressure. Detection involves monitoring for such error conditions and reuse patterns in your Python applications.
There are no direct network-level indicators or specific commands provided in the resources to detect this vulnerability on your system or network.
To detect if your Python environment is vulnerable, you can check the Python version and whether it includes the fix for CVE-2026-6100. Additionally, reviewing application logs for MemoryError exceptions during decompression and verifying if decompressor instances are reused after such errors can help identify potential exposure.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update your Python installation to a version that includes the fix for CVE-2026-6100. The fix was applied starting with Python 3.13 and backported to supported branches including 3.10 through 3.14.
If updating is not immediately possible, avoid re-using decompressor instances (lzma.LZMADecompressor, bz2.BZ2Decompressor, gzip.GzipFile) after a MemoryError occurs during decompression. Instead, create new decompressor instances for each decompression call.
Using the one-shot decompression helper functions such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() is safe, as these create new decompressor instances per call and are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-6100 on compliance with common standards and regulations such as GDPR or HIPAA.