CVE-2026-9669
Received Received - Intake
BZ2Decompressor Use-After-Free in Python

Publication date: 2026-06-08

Last updated on: 2026-06-09

Assigner: Python Software Foundation

Description
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-9669
EUVD
EUVD-2026-35202
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
python cpython From 3.16.0 (exc)
python cpython 3.10
python cpython 3.11
python cpython 3.12
python cpython 3.13
python cpython 3.14
python cpython 3.15
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-9669 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability involves bz2.BZ2Decompressor objects being reused after a decompression error. If an application catches the resulting OSError and retries decompression using the same decompressor object, specially crafted input can cause the decompressor to continue from an invalid internal state.

This invalid state can lead to out-of-bounds writes to a stack buffer, which may cause the process to crash when processing untrusted data.

Impact Analysis

This vulnerability can cause a denial of service by crashing the process handling the decompression of untrusted data.

Because the vulnerability involves out-of-bounds writes to a stack buffer, it may also pose a risk of memory corruption, which could potentially be exploited for further attacks, although the description primarily highlights process crashes.

Mitigation Strategies

To mitigate CVE-2026-9669, you should update your Python environment to a patched version where the vulnerability has been fixed.

The fix prevents reuse of the bz2.BZ2Decompressor object after a decompression error by raising a ValueError if reuse is attempted, thus avoiding out-of-bounds writes and potential crashes.

Ensure you apply updates or patches that have been backported to Python versions 3.10 through 3.15, or upgrade to a fixed main branch version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart