CVE Catalog

CVE-2026-9669

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

35th percentile - higher than 35% of all known CVEs

Summary

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer.

Risk Assessment

The risk is a potential process crash when processing untrusted data, which could lead to service or system disruption.

Recommendation

Immediately update Python to a version containing the fix for CVE-2026-9669 and avoid reusing BZ2Decompressor objects after a decompression error.

Original NVD description (English source)

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS