CVE-2026-9669
Published: June 11, 2026Last modified: June 17, 2026
Description
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.15-r4) |
| 25 LTS | python3 | Fixed (3.12.13-r4) | |
| Stream | python3 | Fixed (3.14.5-r2) | |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.15-r4) |
| 25 LTS | python3 | Fixed (3.12.13-r4) | |
| Stream | python3 | Fixed (3.14.5-r2) |
References
- http://www.openwall.com/lists/oss-security/2026/06/08/17
- https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6
- https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e
- https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f
- https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d
- https://github.com/python/cpython/issues/150599
- https://github.com/python/cpython/pull/150600
- https://mail.python.org/archives/list/[email protected]/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/