CVE-2026-2297Resource Exposure in Software Foundation Cpython

CWE-668Resource ExposureCWE-778Insufficient Logging12 documents9 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 95.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedMar 4
Latest updateMar 10

Description

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.14.03.14.4+2

🔴Vulnerability Details

3
GHSA
GHSA-86jh-grmm-2v3h: The import hook in CPython that handles legacy *2026-03-05
OSV
CVE-2026-2297: The import hook in CPython that handles legacy *2026-03-04
CVEList
SourcelessFileLoader does not use io.open_code()2026-03-04

📋Vendor Advisories

3
Microsoft
SourcelessFileLoader does not use io.open_code()2026-03-10
Red Hat
cpython: CPython: Logging Bypass in Legacy .pyc File Handling2026-03-04
Debian
CVE-2026-2297: pypy3 - The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-2297 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

4
Bugzilla
CVE-2026-2297 python3.15: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]2026-03-04
Bugzilla
CVE-2026-2297 mingw-python3: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]2026-03-04
Bugzilla
CVE-2026-2297 python3.13: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]2026-03-04
Bugzilla
CVE-2026-2297 python3.14: CPython: Logging Bypass in Legacy .pyc File Handling [fedora-all]2026-03-04
CVE-2026-2297 — Resource Exposure | cvebase