There is a HIGH severity vulnerability affecting CPython. bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-9669 * https://github.com/python/cpython/pull/150600
_______________________________________________ Security-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/security-announce.python.org Member address: [email protected]
