PatchSiren cyber security CVE debrief
CVE-2026-9669 Python Software Foundation CVE debrief
CVE-2026-9669 is a HIGH severity vulnerability affecting Python's bz2.BZ2Decompressor objects. The issue allows these objects to be reused after a decompression error. If an application catches the resulting OSError and retries with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
- Vendor
- Python Software Foundation
- Product
- CPython
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-10
Who should care
Developers and users of Python applications that utilize bz2.BZ2Decompressor objects, especially those processing untrusted data, should be aware of this vulnerability.
Technical summary
The vulnerability exists in the bz2.BZ2Decompressor objects in Python. When a decompression error occurs, the object could be reused. If an application retries decompression with the same object, it may lead to out-of-bounds writes due to an invalid internal state.
Defensive priority
HIGH
Recommended defensive actions
- Update Python to the latest version that includes the fix for this vulnerability.
- Avoid reusing bz2.BZ2Decompressor objects after a decompression error.
- Handle decompression errors properly to prevent potential crashes or security issues.
Evidence notes
The CVE record and details are based on information from [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-9669) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-9669).
Official resources
CVE-2026-9669 was published on 2026-06-08T23:17:25.170Z and modified on 2026-06-10T19:16:39.233Z.