Cyber Resilience

CVE-2026-6100

CriticalUpdated

Published: 13 April 2026

Published
13 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6100 is a critical-severity Use After Free (CWE-416) vulnerability in Python (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up…

more

the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6784Shared CWE-416, CWE-787
CVE-2026-6786Shared CWE-416, CWE-787
CVE-2026-6785Shared CWE-416, CWE-787
CVE-2026-7357Shared CWE-416
CVE-2025-24451Shared CWE-787
CVE-2026-29775Shared CWE-787
CVE-2026-7349Shared CWE-416
CVE-2026-20418Shared CWE-787
CVE-2026-27283Shared CWE-416
CVE-2026-33721Shared CWE-787

Affected Assets

Python
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416 CWE-787

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References