Zero Day MonitorZDM

← Back to list

—

CVE-2026-9669EXPLOITEDPATCHED

python software foundation · python

bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

Description

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

Affected Products

Vendor	Product	Versions
python software foundation	python	0, 3.14.0, 3.15.0a1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	python	cert_advisory	90%

References

Related News (4 articles)

Tier A

Microsoft MSRC9d ago

CVE-2026-9669 bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

→ No new info (linked only)

Tier B

BSI Advisories19d ago

[NEU] [mittel] CPython: Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

Tier B

CERT-FR19d ago

Vulnérabilité dans CPython (09 juin 2026)

→ No new info (linked only)

Tier C

oss-security19d ago

[oss-security][CVE-2026-9669] CPython: bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.16.0

CWECWE-121

PublishedJun 8, 2026

Last enriched19d agov3

Tags

CVE-2026-9669DoS

Trending Score14

Source articles4

Independent4

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-12003EXP

CPython >3.11 Insecure Input Validation resulting in privilege escalation

NONECVE-2026-11972EXP

tarfile opened in streaming mode mishandles EOF

NONECVE-2026-0864

Configuration Injection via Carriage Return (\r) in write() method

NONECVE-2026-11940

tarfile extraction filter bypass allows escaping the destination directory

NONECVE-2026-3276EXP

Potential DoS via quadratic complexity in unicodedata.normalize()

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 8, 2026

Discovered by ZDM

Jun 8, 2026

Updated: affectedVersions, tags

Jun 8, 2026

Updated: severity, exploitAvailable, activelyExploited, tags

Jun 9, 2026

Actively Exploited

Jun 23, 2026

Exploit Available

Jun 23, 2026

Patch Available

Jun 23, 2026

Version History

v3

Last enriched 19d ago

v3Tier B19d ago

Updated severity to MEDIUM, marked exploit as available and actively exploited, and added new tag for DoS.

severityexploitAvailableactivelyExploitedtags

via BSI Advisories

v2Tier C19d ago

Updated severity to HIGH, marked exploit as available, and added affected version 3.16.0 and CVE-2026-9669 tag.

affectedVersionstags

via oss-security

v119d ago

Initial creation