A critical vulnerability has been identified in the classes supplied with CPython for decompressing compressed data in lzma, bz2, and gzip formats – lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile. The vulnerability, identified as CVE-2026-6100, has been assigned a danger level of 9.1 out of 10. If successfully exploited, it can lead to memory access after it has been freed, potentially resulting in information leakage from process memory or execution of attacker code when unpacking specially designed data.
The issue arises from a memory allocation operation error that occurs when there is insufficient memory available. To exploit the vulnerability, the attacker must create conditions for memory exhaustion within the process. Access to already freed memory occurs in applications that reuse an instance of an object after encountering an error during the unpacking process. Applications that create a new instance of an object with each call are not vulnerable to this exploit.
A fix for this vulnerability is currently available in the form of a patch that can be accessed here.