HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9669Published Modified CNA PSF

CVE-2026-9669: bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
3.13.14
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in Python's bz2.BZ2Decompressor when an application catches a decompression error and reuses the same decompressor object with crafted input. The vulnerability is reachable over the network (AV:N) and requires no authentication, but exploiting it depends on a specific application-level error-retry pattern and favorable conditions (AC:H, AT:P). Successful exploitation crashes the affected process, causing a denial of service. Patched-image rebuilds at CPython versions 3.13.14, 3.14.6, and 3.15.0 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from PSF and upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle affected CPython versions.

Available
Triage

HarborGuard scores this CVE at CVSS 8.2 (HIGH) and applies per-environment compliance policy weighting to prioritize it relative to each customer's risk thresholds; triage findings are routed to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild targeting CPython 3.13.14, 3.14.6, or 3.15.0 (depending on the branch in use) is available on HarborGuard for images running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable decompression path is exposed over the network, meaning an attacker can deliver crafted bz2 input to a reachable service without requiring local access.

  • AuthenticationNot required

    No account or credentials are needed; an unauthenticated attacker can supply malicious compressed data directly.

  • Victim interactionNot required

    No user action is required; the vulnerable code path triggers automatically when the application processes attacker-supplied input.

  • Attack complexityDetail

    Exploitation depends on both a specific application error-retry pattern and additional environmental preconditions (AT:P), making reliable exploitation non-trivial and condition-dependent.

Blast Radius

  • Crashes the Python process that calls the reused BZ2Decompressor, causing a full service outage for that worker or process.
  • Any in-flight requests being handled by the crashed process are dropped and their results are lost.
  • If the process is part of a pool without automatic restart, continued availability of the service is disrupted until the process is manually or automatically restarted.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in connected registries and pipelines, including internally built images that vendor CPython. For environments running CPython 3.13.x before 3.13.14, 3.14.x before 3.14.6, or 3.15.x pre-releases before 3.15.0, a rebuild against the fixed upstream version is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the triage queue with CVSS 8.2 (HIGH) scoring and policy-weighted priority so the responsible team can act. As an interim measure while a rebuild is being evaluated, consider applying network-policy controls to restrict untrusted bz2 input from reaching services that use BZ2Decompressor with error-retry logic, or gating that code path behind a feature flag.

See how HarborGuard automates this

Fix available

3.13.143.14.63.15.0
Patch commits
Affected packages
  • Python Software Foundation / CPython
    < 3.13.14 (from 0) · < 3.14.6 (from 3.14.0) · < 3.15.0 (from 3.15.0a1)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References