CVE-2026-6100

CVE Details

Release Date:	2026-04-13
Impact:	Important	What is this?

Description

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

See more information about CVE-2026-6100 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	8.1
Vector String:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version:	3.1
Attack Vector:	Network
Attack Complexity:	High
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	High
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 10 (python3.12)	ELSA-2026-10711	2026-04-27
Oracle Linux version 8 (python3)	ELSA-2026-11077	2026-04-28
Oracle Linux version 8 (python3.11)	ELSA-2026-11062	2026-04-27
Oracle Linux version 8 (python3.12)	ELSA-2026-10950	2026-04-27
Oracle Linux version 9 (python3.11)	ELSA-2026-10774	2026-04-27
Oracle Linux version 9 (python3.12)	ELSA-2026-10745	2026-04-27
Oracle Linux version 9 (python3.9)	ELSA-2026-10949	2026-04-27