Description
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Published: 2026-03-04
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Audit bypass leading to undetected code execution via .pyc import
Action: Monitor
AI Analysis

Impact

The flaw lies in CPython’s import hook for legacy byte‑code files; it fails to invoke io.open_code(), preventing sys.audit handlers from firing for this import event. As a result, any code loaded from a *.pyc file can execute without generating the expected audit trail, allowing an attacker to run covert or malicious code without triggering detection mechanisms.

Affected Systems

Python Software Foundation’s CPython implementation is affected. No specific product versions are listed, so all releases that still use the legacy import hook for legacy .pyc files are potentially vulnerable and should be treated as impacted until a fix is released.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity, with an EPSS score of less than 1 % suggesting low historical exploitation probability. The vulnerability is not currently listed in CISA’s KEV catalog. The most likely attack vector is through the local execution of malicious .pyc files or a local attacker having the ability to place such files in a location that Python will import. Once a .pyc is imported, the missing audit event means the operation can proceed silently, facilitating covert execution of arbitrary code.

Generated by OpenCVE AI on April 15, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Python release that corrects the import hook to use io.open_code() and triggers audit events; upgrade when available.
  • Configure audit logging to record all module imports or enforce strict whitelisting of .pyc files in trusted directories.
  • Restrict placement of .pyc files to trusted, isolated directories and remove any untrusted .pyc files from the PYTHONPATH or import locations.

Generated by OpenCVE AI on April 15, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-778
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Low

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Wed, 04 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Title SourcelessFileLoader does not use io.open_code()
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-07T22:01:27.963Z

Reserved: 2026-02-10T16:26:08.298Z

Link: CVE-2026-2297

cve-icon Vulnrichment

Updated: 2026-03-05T18:35:25.713Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T23:16:10.757

Modified: 2026-03-12T15:16:27.957

Link: CVE-2026-2297

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-04T22:10:43Z

Links: CVE-2026-2297 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses