CVE-2026-9669
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer.
Risk Assessment
The risk is a potential process crash when processing untrusted data, which could lead to service or system disruption.
Recommendation
Immediately update Python to a version containing the fix for CVE-2026-9669 and avoid reusing BZ2Decompressor objects after a decompression error.
Original NVD description (English source)
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

