CVE-2026-6100
Received Received - Intake
Use-After-Free in Python Decompressors on MemoryError

Publication date: 2026-04-13

Last updated on: 2026-04-14

Assigner: Python Software Foundation

Description
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6100
EUVD
EUVD-2026-22028
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
python python *
python lzma *
python bz2 *
python gzip *
python zlib *
python cpython From 3.10 (inc) to 3.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6100 is a critical use-after-free (UAF) vulnerability in Python's decompression modules for LZMA, BZ2, and gzip. It occurs when a decompressor instance is reused after a MemoryError is raised due to a failed memory allocation during decompression, typically under memory pressure. In this situation, a dangling pointer remains inside the decompressor object, which can lead to unsafe memory access or undefined behavior.

This vulnerability only affects programs that reuse decompressor instances across multiple decompression calls after such an error. One-shot decompression helper functions that create new decompressor instances per call are not affected. The fix involves clearing the dangling input pointer in the error handling path to prevent use-after-free conditions.

Impact Analysis

This vulnerability can lead to use-after-free conditions where the program accesses memory that has already been freed. This can cause undefined behavior, including crashes, memory corruption, or potential security risks such as arbitrary code execution or information disclosure.

The impact is specifically relevant if your application reuses decompressor instances after a MemoryError during decompression. Under memory pressure, this can cause the decompressor to reference invalid memory, potentially leading to exploitation or instability.

Detection Guidance

This vulnerability occurs specifically when Python decompressor instances (lzma.LZMADecompressor, bz2.BZ2Decompressor, gzip.GzipFile) are re-used after a MemoryError is raised during decompression under memory pressure. Detection involves monitoring for such error conditions and reuse patterns in your Python applications.

There are no direct network-level indicators or specific commands provided in the resources to detect this vulnerability on your system or network.

To detect if your Python environment is vulnerable, you can check the Python version and whether it includes the fix for CVE-2026-6100. Additionally, reviewing application logs for MemoryError exceptions during decompression and verifying if decompressor instances are reused after such errors can help identify potential exposure.

Mitigation Strategies

To mitigate this vulnerability, immediately update your Python installation to a version that includes the fix for CVE-2026-6100. The fix was applied starting with Python 3.13 and backported to supported branches including 3.10 through 3.14.

If updating is not immediately possible, avoid re-using decompressor instances (lzma.LZMADecompressor, bz2.BZ2Decompressor, gzip.GzipFile) after a MemoryError occurs during decompression. Instead, create new decompressor instances for each decompression call.

Using the one-shot decompression helper functions such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() is safe, as these create new decompressor instances per call and are not affected by this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6100 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart