Zero Day MonitorZDM

← Back to list

—

CVE-2026-6100EXPLOITEDPATCHED

python software foundation · python

Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure

Description

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Affected Products

Vendor	Product	Versions
python software foundation	python	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fedora	fedora linux	cert_advisory	90%
open source	python	cert_advisory	90%

References

Related News (5 articles)

Tier A

Microsoft MSRC2d ago

CVE-2026-6100 Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure

→ No new info (linked only)

Tier B

BSI Advisories6d ago

[NEU] [mittel] CPython: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CERT-FR7d ago

Multiples vulnérabilités dans Python (14 avril 2026)

→ No new info (linked only)

Tier C

VulDB7d ago

CVE-2026-6100 | Python CPython up to 3.14.x Decompression Call use after free (ID 148395)

→ No new info (linked only)

Tier C

oss-security7d ago

[oss-security][CVE-2026-6100] CPython: Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.15.0

CWECWE-416, CWE-787

PublishedApr 13, 2026

Last enriched7d agov3

Tags

CVE-2026-6100

Trending Score48

Source articles5

Independent5

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-4786EXP

Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

NONECVE-2026-3219

pip doesn't reject concatenated ZIP and tar archives

NONECVE-2026-5713EXP

Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

NONECVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

NONECVE-2026-3446EXP

Base64 decoding stops at first padded quad by default

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 13, 2026

Discovered by ZDM

Apr 13, 2026

Updated: tags

Apr 13, 2026

Updated: severity, affectedVersions, activelyExploited

Apr 13, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Version History

v3

Last enriched 7d ago

v3Tier C7d ago

Updated severity to CRITICAL, added affected version 3.14.x, and marked the vulnerability as actively exploited.

severityaffectedVersionsactivelyExploited

via VulDB

v2Tier C7d ago

Updated severity to CRITICAL, marked exploit as available and actively exploited, and added new tag CVE-2026-6100.

tags

via oss-security

v17d ago

Initial creation