CVE-2026-9669
bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow
Description
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
How to fix CVE-2026-9669
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Bitnami/libpython—no fix listed
- Bitnami/python—no fix listed
- Bitnami/python-min—no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
Is CVE-2026-9669 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-9669.
Affected packages (7)
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |