CVE-2026-6100
Severity CVSS v4.0:
CRITICAL
Type:
CWE-416
Use After Free
Publication date:
13/04/2026
Last modified:
17/04/2026
Description
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.<br />
<br />
The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
Impact
Base Score 4.0
9.10
Severity 4.0
CRITICAL
References to Advisories, Solutions, and Tools
- https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e
- https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d
- https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2
- https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
- https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b
- https://github.com/python/cpython/issues/148395
- https://github.com/python/cpython/pull/148396
- https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/
- http://www.openwall.com/lists/oss-security/2026/04/13/10