Use After Free in Python Software Foundation Cpython
CVE-2026-6100
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if t…
Vulnerability class: Use-After-Free
EPSS: 0.002 (37.1th percentile) — read the EPSS interpretation.
Affected products
- Python Software Foundation Cpython — versions 0
Weakness classification (CWE)
References
- github.com/python/cpython/pull/148396 (patch)
- mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX… (vendor-advisory)
- github.com/python/cpython/issues/148395 (issue-tracking)
- github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d (patch)
- github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2 (patch)
- github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20 (patch)
- github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e (patch)
- github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b (patch)