CVE-2026-6100

Name of the Vulnerable Software and Affected Versions CPython (affected versions not specified)

Description A use-after-free (UAF) issue exists in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile. This occurs when a memory allocation fails with a MemoryError and the decompression instance is subsequently reused, typically under memory pressure. Use-after-free is a condition where a program continues to use a memory address after it has been released. This issue does not affect the use of one-shot decompression helper functions such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress(), nor does it affect cases where decompressor instances are not reused after an error.

Recommendations Avoid reusing decompressor instances across multiple decompression calls after a MemoryError is raised. Use helper functions such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() to perform one-shot decompression. At the moment, there is no information about a newer version that contains a fix for this vulnerability.