Description
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.

The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
Published: 2026-04-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption that can lead to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw exists in CPython’s LZMA, BZ2, and Gzip decompression classes. When a decompression call raises a MemoryError and the same decompressor instance is reused, the implementation may access freed memory. This can corrupt memory and in the worst case allow an attacker to execute arbitrary code through controlled data.

Affected Systems

Python Software Foundation’s CPython is affected whenever a decompressor object is reused after a MemoryError. The flaw applies to all releases that contain the vulnerable decompressors and have not yet incorporated the patches found in the commits referenced in the CVE advisory. No specific version list is provided, so all pre‑patch CPython releases are considered vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating a high‑severity risk. Exploitation requires the target process to be under memory pressure and to reuse a decompressor instance after encountering a MemoryError, a scenario that is realistic for long‑running services that handle compressed data. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, but the high severity and the nature of the flaw suggest a substantial likelihood of exploitation if an attacker can trigger the conditions from within the application process.

Generated by OpenCVE AI on April 14, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a CPython release that includes the patch for the use‑after‑free bug (the relevant commits are listed in the CVE advisory).
  • If an immediate upgrade is not possible, avoid reusing decompressor instances after a MemoryError; create a fresh instance for each decompression operation.

Generated by OpenCVE AI on April 14, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4532-1 python3.9 regression and security update
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 14 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
Title Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
Weaknesses CWE-416
CWE-787
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-14T14:30:25.622Z

Reserved: 2026-04-10T21:13:45.428Z

Link: CVE-2026-6100

cve-icon Vulnrichment

Updated: 2026-04-13T19:29:27.322Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T18:16:31.297

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-6100

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T17:15:47Z

Links: CVE-2026-6100 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:48Z

Weaknesses