Vulnerability Database>CVE-2026-9669

CVE-2026-9669

‍

Publish date: June 9, 2026

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application catches the resulting OSError and retries with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

‍

Learn about Echo's vulnerability management

Learn more

NVD Record:

https://nvd.nist.gov/vuln/detail/CVE-2026-9669

References:

https://github.com/python/cpython/issues/150599
https://github.com/python/cpython/pull/150600
https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/
http://www.openwall.com/lists/oss-security/2026/06/08/17

‍