Python CPython Use-After-Free Vulnerability in Decompressor Classes

A use-after-free vulnerability has been identified in the CPython implementation of the LZMA, BZ2, and Gzip decompressor classes. This vulnerability occurs when a memory allocation fails, raising a MemoryError, and the decompressor instance is reused. Under memory pressure, this scenario can be exploited, leading to potential memory corruption. The issue is not present when using the one-shot decompression functions, as they create a new decompressor instance for each call.

Impact

Exploitation of this vulnerability can lead to memory corruption, which may be exploited to execute arbitrary code or cause a program crash.

Reproduction

To reproduce this vulnerability, create an instance of LZMADecompressor, BZ2Decompressor, or GzipFile. Under memory pressure, intentionally cause a MemoryError during decompression, then reuse the same decompressor instance for another decompression call. This will trigger the use-after-free condition, as the instance will attempt to read from a memory buffer that has already been released.

Remediation

The vulnerability has been fixed in the CPython repository. Users should update to the latest version of Python where this issue has been addressed.