CVE-2026-9669

Summary

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.13.14affected
Python Software FoundationCPython3.14.0 < 3.14.6affected
Python Software FoundationCPython3.15.0a1 < 3.15.0b3affected

Weaknesses

  • CWE-121: CWE-121 Stack-based buffer overflow

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References