CVE-2026-9669

EUVD-2026-35202
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
PSFCNA
8.2 HIGH
NETWORK
HIGH
NONE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
pythoncpython
𝑥
< 3.16.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
python3.11
bookworm
no-dsa
bookworm (security)
vulnerable
python3.13
forky
vulnerable
sid
vulnerable
trixie
no-dsa
python3.14
forky
vulnerable
sid
vulnerable
python3.9
bullseye
vulnerable
bullseye (security)
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/python/cpython/issues/150599
https://github.com/python/cpython/pull/150600
https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/
http://www.openwall.com/lists/oss-security/2026/06/08/17