{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2297", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-02-10T16:26:08.298Z", "datePublished": "2026-03-04T22:10:43.297Z", "dateUpdated": "2026-05-01T15:13:05.340Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.13.13", "status": "affected", "versionType": "python"}, {"version": "3.14.0", "lessThan": "3.14.4", "status": "affected", "versionType": "python"}, {"version": "3.15.0a1", "lessThan": "3.15.0a7", "status": "affected", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The import hook in CPython that handles legacy <code>*.pyc</code> files (<code>SourcelessFileLoader</code>) is incorrectly handled in <code>FileLoader</code> (a base class) and so does not use <code>io.open_code()</code> to read the <code>.pyc</code> files. sys.audit handlers for this audit event therefore do not fire."}], "value": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.7, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-05-01T15:13:05.340Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/145506"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/pull/145507"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd"}], "source": {"discovery": "UNKNOWN"}, "title": "SourcelessFileLoader does not use io.open_code()", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/05/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-05T18:35:25.713Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-668", "lang": "en", "description": "CWE-668 Exposure of Resource to Wrong Sphere"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:58:41.472003Z", "id": "CVE-2026-2297", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:58:46.051Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/05/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-05T18:35:25.713Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2297", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:58:41.472003Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "CWE-668 Exposure of Resource to Wrong Sphere"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:58:35.936Z"}}], "cna": {"title": "SourcelessFileLoader does not use io.open_code()", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.13.13", "versionType": "python"}, {"status": "affected", "version": "3.14.0", "lessThan": "3.14.4", "versionType": "python"}, {"status": "affected", "version": "3.15.0a1", "lessThan": "3.15.0a7", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/issues/145506", "tags": ["issue-tracking"]}, {"url": "https://github.com/python/cpython/pull/145507", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "supportingMedia": [{"type": "text/html", "value": "The import hook in CPython that handles legacy <code>*.pyc</code> files (<code>SourcelessFileLoader</code>) is incorrectly handled in <code>FileLoader</code> (a base class) and so does not use <code>io.open_code()</code> to read the <code>.pyc</code> files. sys.audit handlers for this audit event therefore do not fire.", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-05-01T15:13:05.340Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2297", "state": "PUBLISHED", "dateUpdated": "2026-05-01T15:13:05.340Z", "dateReserved": "2026-02-10T16:26:08.298Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-03-04T22:10:43.297Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire."}, {"lang": "es", "value": "El gancho de importaci\u00f3n en CPython que maneja los archivos *.pyc heredados (SourcelessFileLoader) es manejado incorrectamente en FileLoader (una clase base) y por lo tanto no usa io.open_code() para leer los archivos .pyc. Los manejadores de sys.audit para este evento de auditor\u00eda, por lo tanto, no se disparan."}], "id": "CVE-2026-2297", "lastModified": "2026-05-01T16:16:30.110", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-03-04T23:16:10.757", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/69ddd9bb2cc4bd69b1565647c18659c6a789ccd9"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/876858c9f65d9ab656c7fa639f268ce7856d89dd"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/145506"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/145507"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/05/6"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "cpython: CPython: Logging Bypass in Legacy .pyc File Handling", "id": "2444691", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444691"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-778", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-2297", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-03-04T22:10:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2297\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2297\nhttps://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e\nhttps://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e\nhttps://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86\nhttps://github.com/python/cpython/issues/145506\nhttps://github.com/python/cpython/pull/145507"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-04-15T20:03:38.762796+00:00", "value": {"mitigation_remediation": ["Apply a Python release that corrects the import hook to use io.open_code() and triggers audit events; upgrade when available.", "Configure audit logging to record all module imports or enforce strict whitelisting of .pyc files in trusted directories.", "Restrict placement of .pyc files to trusted, isolated directories and remove any untrusted .pyc files from the PYTHONPATH or import locations."], "summary": {"action": "Monitor", "impact": "Audit bypass leading to undetected code execution via .pyc import"}, "threat_synthesis": {"affected_systems": "Python Software Foundation\u2019s CPython implementation is affected. No specific product versions are listed, so all releases that still use the legacy import hook for legacy .pyc files are potentially vulnerable and should be treated as impacted until a fix is released.", "description_and_impact": "The flaw lies in CPython\u2019s import hook for legacy byte\u2011code files; it fails to invoke io.open_code(), preventing sys.audit handlers from firing for this import event. As a result, any code loaded from a *.pyc file can execute without generating the expected audit trail, allowing an attacker to run covert or malicious code without triggering detection mechanisms.", "risk_and_exploitability": "The CVSS score of 5.7 indicates a moderate severity, with an EPSS score of less than 1\u202f% suggesting low historical exploitation probability. The vulnerability is not currently listed in CISA\u2019s KEV catalog. The most likely attack vector is through the local execution of malicious .pyc files or a local attacker having the ability to place such files in a location that Python will import. Once a .pyc is imported, the missing audit event means the operation can proceed silently, facilitating covert execution of arbitrary code."}}}}, "created": "2026-03-05T09:05:34.693499+00:00", "updated": "2026-04-15T20:15:13.702725+00:00", "vendors": ["python", "python$PRODUCT$cpython"], "weaknesses": ["CWE-668", "CWE-778"]}