CVE-2026-9669
Published: Mon, 08 Jun 2026 23:17
Summary
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompress
Details
bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.
Are YOU affected by CVE-2026-9669?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-9669 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://github.com/python/cpython/commit/157a5df8cb5d82b33f918a7489e72ce95ceb12b6
- https://github.com/python/cpython/commit/5755d0f083949ff3c5bf3a37e673e24e306b036e
- https://github.com/python/cpython/commit/619a12b2e545391dc436b3af79dda22337382a6f
- https://github.com/python/cpython/commit/d3ca26983dfbccdf609f24ff5877dc3118e4702d
- https://github.com/python/cpython/issues/150599
- https://github.com/python/cpython/pull/150600
- https://mail.python.org/archives/list/security-announce@python.org/thread/DBJZETMGUIFK7DVUWMOXHD3Z6IX2QPSX/
- http://www.openwall.com/lists/oss-security/2026/06/08/17
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.