CVE-2026-6100
A use-after-free (UAF) vulnerability exists in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile`. This situation arises when a memory allocation fails, resulting in a `MemoryError`, and the decompression instance is re-used. Such a scenario may occur when the process is experiencing memory pressure. The fix addresses the issue by cleaning up the dangling pointer in this specific error condition.The vulnerability only arises if decompressor instances are reused for multiple decompression calls after a `MemoryError` has occurred. However, using helper functions like `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` is unaffected, as these calls create a new decompressor instance each time. Similarly, if the decompressor instance is not reused following an error condition, it is not vulnerable.
NVD Record:
References:
- https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e
- https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d
- https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2
- https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
- https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b
- https://github.com/python/cpython/issues/148395
- https://github.com/python/cpython/pull/148396
- https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/
- http://www.openwall.com/lists/oss-security/2026/04/13/10