{"id":"PSF-2026-18","details":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","aliases":["BIT-libpython-2026-6100","BIT-python-2026-6100","BIT-python-min-2026-6100","CVE-2026-6100","ECHO-5806-1424-7b47","PSF-0000-CVE-2026-6100"],"modified":"2026-04-17T04:56:58.679585064Z","published":"2026-04-13T17:15:47.606Z","database_specific":{"cwe_ids":[]},"references":[{"type":"WEB","url":"https://github.com/python/cpython/pull/148396"},{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/"},{"type":"REPORT","url":"https://github.com/python/cpython/issues/148395"},{"type":"FIX","url":"https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d"},{"type":"FIX","url":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"},{"type":"FIX","url":"https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20"},{"type":"FIX","url":"https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e"},{"type":"FIX","url":"https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"},{"fixed":"6a5f79c8d7bbf22b083b240910c7a8781a59437d"},{"fixed":"8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"},{"fixed":"c3cf71c3366fe49acb776a639405c0eea6169c20"},{"fixed":"47128e64f98c3a20271138a98c2922bea2a3ee0e"},{"fixed":"e20c6c9667c99ecaab96e1a2b3767082841ffc8b"}]}],"versions":["v0.9.8","v0.9.9","v1.0.1","v1.0.2","v1.1","v1.1.1","v1.2","v1.2b1","v1.2b2","v1.2b3","v1.2b4","v1.3","v1.3b1","v1.4","v1.4b1","v1.4b2","v1.4b3","v1.5","v1.5.1","v1.5.2","v1.5.2a1","v1.5.2a2","v1.5.2b1","v1.5.2b2","v1.5.2c1","v1.5a1","v1.5a2","v1.5a3","v1.5a4","v1.5b1","v1.5b2","v1.6a1","v1.6a2","v2.0","v2.0b1","v2.0b2","v2.0c1","v2.1","v2.1a1","v2.1a2","v2.1b1","v2.1b2","v2.1c1","v2.1c2","v2.2a3","v2.3c1","v2.3c2","v2.4","v2.4a1","v2.4a2","v2.4a3","v2.4b1","v2.4b2","v2.4c1","v3.0a1","v3.0a2","v3.0a3","v3.0a4","v3.0a5","v3.0b1","v3.0b2","v3.0b3","v3.0rc1","v3.0rc2","v3.0rc3","v3.1","v3.10.0a1","v3.10.0a7","v3.10.0b1","v3.10.0b2","v3.10.0b3","v3.10.0b4","v3.10.0rc1","v3.10.0rc2","v3.10.1","v3.10.10","v3.10.11","v3.10.12","v3.10.13","v3.10.14","v3.10.15","v3.10.16","v3.10.17","v3.10.18","v3.10.19","v3.10.2","v3.10.20","v3.10.3","v3.10.4","v3.10.5","v3.10.6","v3.10.7","v3.10.8","v3.10.9","v3.11.0a3","v3.11.0a4","v3.11.0a5","v3.11.0a6","v3.11.0a7","v3.11.0b1","v3.11.0b2","v3.11.0b3","v3.11.0b4","v3.11.0b5","v3.11.0rc1","v3.11.0rc2","v3.11.1","v3.11.10","v3.11.11","v3.11.12","v3.11.13","v3.11.14","v3.11.15","v3.11.2","v3.11.3","v3.11.4","v3.11.5","v3.11.6","v3.11.7","v3.11.8","v3.11.9","v3.12.0a1","v3.12.0a2","v3.12.0a3","v3.12.0a4","v3.12.0a5","v3.12.0a6","v3.12.0a7","v3.12.0b1","v3.13.0","v3.13.0a1","v3.13.0a2","v3.13.0a3","v3.13.0a4","v3.13.0a5","v3.13.0a6","v3.13.0b1","v3.13.0b2","v3.13.0b3","v3.13.0b4","v3.13.0rc1","v3.13.0rc2","v3.13.0rc3","v3.13.1","v3.13.10","v3.13.11","v3.13.12","v3.13.13","v3.13.2","v3.13.3","v3.13.4","v3.13.5","v3.13.6","v3.13.7","v3.13.8","v3.14.0","v3.14.0a1","v3.14.0a2","v3.14.0a3","v3.14.0a4","v3.14.0a5","v3.14.0a6","v3.14.0a7","v3.14.0b1","v3.14.0b2","v3.14.0b3","v3.14.0b4","v3.14.0rc1","v3.14.0rc2","v3.14.0rc3","v3.14.1","v3.14.2","v3.14.3","v3.14.4","v3.15.0a1","v3.15.0a2","v3.15.0a3","v3.15.0a4","v3.15.0a5","v3.15.0a6","v3.15.0a7","v3.15.0a8","v3.1a1","v3.1a2","v3.1b1","v3.1rc1","v3.1rc2","v3.2a1","v3.2a2","v3.2a3","v3.2a4","v3.2b1","v3.2b2","v3.2rc1","v3.2rc2","v3.2rc3","v3.3.0a2","v3.3.0a3","v3.3.0a4","v3.3.0b1","v3.3.0b2","v3.3.0rc1","v3.3.0rc2","v3.3.0rc3","v3.4.0a1","v3.4.0a2","v3.4.0a3","v3.4.0a4","v3.4.0b1","v3.4.0b2","v3.4.0b3","v3.5.0a1","v3.5.0a2","v3.5.0a3","v3.5.0a4","v3.5.0b1","v3.6.0a3","v3.6.0b1","v3.7.0a2","v3.9.0a2"],"database_specific":{"vanir_signatures_modified":"2026-04-15T02:03:58Z","source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-18.json","vanir_signatures":[{"deprecated":false,"target":{"file":"Modules/_bz2module.c","function":"decompress"},"signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-20b48da3","digest":{"function_hash":"84589999674251724155468361044613684778","length":2206},"source":"https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d"},{"source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","signature_type":"Line","signature_version":"v1","deprecated":false,"id":"PSF-2026-18-22d654a2","digest":{"threshold":0.9,"line_hashes":["94135993539252608169191539438933599202","104669475959108530219517263650155630981","99076997531218567452909478434502041422","333457106311082276385054253937655800853"]},"target":{"file":"Modules/_bz2module.c"}},{"target":{"file":"Modules/_lzmamodule.c","function":"decompress"},"source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-274a173b","digest":{"function_hash":"274786089459037806290187256381705341170","length":2221},"deprecated":false},{"source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","signature_type":"Line","signature_version":"v1","deprecated":false,"id":"PSF-2026-18-27d405b9","digest":{"threshold":0.9,"line_hashes":["94135993539252608169191539438933599202","104669475959108530219517263650155630981","99076997531218567452909478434502041422","333457106311082276385054253937655800853"]},"target":{"file":"Modules/zlibmodule.c"}},{"digest":{"function_hash":"137817026754399672328269279492351081878","length":2174},"deprecated":false,"signature_version":"v1","target":{"file":"Modules/_lzmamodule.c","function":"decompress"},"id":"PSF-2026-18-3f4ee08e","signature_type":"Function","source":"https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e"},{"deprecated":false,"target":{"file":"Modules/_lzmamodule.c"},"signature_version":"v1","signature_type":"Line","id":"PSF-2026-18-42efa811","digest":{"threshold":0.9,"line_hashes":["94135993539252608169191539438933599202","104669475959108530219517263650155630981","99076997531218567452909478434502041422","333457106311082276385054253937655800853"]},"source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"},{"deprecated":false,"target":{"file":"Modules/_bz2module.c","function":"decompress"},"signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-5345bf48","digest":{"function_hash":"84589999674251724155468361044613684778","length":2206},"source":"https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"},{"target":{"file":"Modules/_lzmamodule.c","function":"decompress"},"source":"https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-59ee1e2b","digest":{"function_hash":"137817026754399672328269279492351081878","length":2174},"deprecated":false},{"target":{"file":"Modules/_bz2module.c","function":"decompress"},"source":"https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-643d6667","digest":{"function_hash":"84589999674251724155468361044613684778","length":2206},"deprecated":false},{"target":{"file":"Modules/_bz2module.c","function":"decompress"},"digest":{"function_hash":"285947837918045169759164635510724021861","length":2244},"signature_version":"v1","deprecated":false,"id":"PSF-2026-18-86dedb9f","signature_type":"Function","source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"},{"target":{"file":"Modules/_bz2module.c","function":"decompress"},"source":"https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-906ff074","digest":{"function_hash":"84589999674251724155468361044613684778","length":2206},"deprecated":false},{"digest":{"function_hash":"137817026754399672328269279492351081878","length":2174},"deprecated":false,"signature_version":"v1","target":{"file":"Modules/_lzmamodule.c","function":"decompress"},"id":"PSF-2026-18-9cdcb6f4","signature_type":"Function","source":"https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"Modules/_lzmamodule.c","function":"decompress"},"id":"PSF-2026-18-9e46e21d","digest":{"function_hash":"137817026754399672328269279492351081878","length":2174},"source":"https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20"},{"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"Modules/zlibmodule.c","function":"decompress"},"id":"PSF-2026-18-c16b4d22","digest":{"function_hash":"288422572817338439511797407182616984687","length":2277},"source":"https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"},{"source":"https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","signature_type":"Function","signature_version":"v1","deprecated":false,"id":"PSF-2026-18-c46813d4","digest":{"function_hash":"197439806431788498051156381226726719416","length":2238},"target":{"file":"Modules/zlibmodule.c","function":"decompress"}},{"target":{"file":"Modules/zlibmodule.c","function":"decompress"},"source":"https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","signature_version":"v1","signature_type":"Function","id":"PSF-2026-18-ea7af3c2","digest":{"function_hash":"197439806431788498051156381226726719416","length":2238},"deprecated":false}]}}],"schema_version":"1.7.5"}