Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
CPython legacy .pyc file loading bypasses security checks
CVE-2026-2297
PSF-2026-9
Summary
An issue exists in how CPython handles legacy .pyc files. This means some security checks are not applied when loading these files. To protect your system, ensure you're running the latest version of CPython, and configure your system to use secure file loading methods.
What to do
- Update libpython to version 3.15.0.
- Update python to version 3.15.0.
- Update python-min to version 3.15.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | libpython | <= 3.15.0 | 3.15.0 |
| – | python | <= 3.15.0 | 3.15.0 |
| – | python-min | <= 3.15.0 | 3.15.0 |
Original title
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys....
Original description
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
nvd CVSS4.0
5.7
Vulnerability type
CWE-668
- https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603...
- https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535...
- https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e8...
- https://github.com/python/cpython/issues/145506
- https://github.com/python/cpython/pull/145507
- http://www.openwall.com/lists/oss-security/2026/03/05/6
- https://nvd.nist.gov/vuln/detail/CVE-2026-2297 URL
Published: 4 Mar 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026