Description
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Published: 2026-06-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in Python’s bz2 module, where a BZ2Decompressor object can be reused after a decompression error. If an application catches the resulting OSError and retries with the same decompressor, carefully crafted input can cause the decompressor to resume from an invalid internal state and perform out‑of‑bounds writes to a stack buffer. This produces a stack buffer overflow (CWE‑121). The primary impact is a process crash, which equates to a denial of service, and it does not directly expose data or grant code execution, though repeated crashes could be leveraged in a more complex exploitation chain.

Affected Systems

Python Software Foundation CPython. Specific affected versions are not listed in the CVE entry, so all releases in use until the fix is applied may be vulnerable.

Risk and Exploitability

The CVSS score is 8.2, indicating a severe risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness by delivering crafted BZ2 data to any Python application that reuses a BZ2Decompressor across errors. The likely attack vector is via untrusted input, which may be received over the network, file system, or any external data source. The vulnerability remains technically exploitable until the Python interpreter is upgraded to a version that includes the fix.

Generated by OpenCVE AI on June 8, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update CPython to a patched release that contains the fix.
  • Deploy the updated Python runtime in all affected applications and environments.
  • Avoid reusing BZ2Decompressor objects after a decompression error; create a new decompressor instance for each operation.

Generated by OpenCVE AI on June 8, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 09 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Title bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-06-08T23:27:25.188Z

Reserved: 2026-05-27T03:13:18.152Z

Link: CVE-2026-9669

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T23:17:25.170

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-9669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T00:30:16Z

Weaknesses