CVE-2026-2297

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2297
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2297.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-2297
Aliases
Downstream
Related
Published
2026-03-04T22:10:43.297Z
Modified
2026-06-15T12:22:35.465050819Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
SourcelessFileLoader does not use io.open_code()
Details

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2297.json",
    "cna_assigner": "PSF"
}
References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Introduced
ebf955df7a89ed0c7968f79faec1de49f61ed7cb
Introduced
f31a89bb901067dd105b00cfa90523cf7ffdbbdd
Fixed
01104ce1beb3135c2e0c01ec835b994c1f55a1c0
Fixed
23116f998f6789d8c2fbe5ed5b8146854c8c2a4f
Fixed
6024d3c6dadf73bcd0b234d2d97365486253f0ee
Fixed
482d6f8bdba9da3725d272e8bb4a2d25fb6a603e
Fixed
69ddd9bb2cc4bd69b1565647c18659c6a789ccd9
Fixed
876858c9f65d9ab656c7fa639f268ce7856d89dd
Fixed
a51b1b512de1d56b3714b65628a2eae2b07e535e
Fixed
e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.13.13"
        },
        {
            "introduced": "3.14.0"
        },
        {
            "fixed": "3.14.4"
        },
        {
            "introduced": "3.15.0a1"
        },
        {
            "fixed": "3.15.0a7"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.9.8
v0.9.9
v1.*
v1.0.1
v1.0.2
v1.1
v1.1.1
v1.2
v1.2b1
v1.2b2
v1.2b3
v1.2b4
v1.3
v1.3b1
v1.4
v1.4b1
v1.4b2
v1.4b3
v1.5
v1.5.1
v1.5.2
v1.5.2a1
v1.5.2a2
v1.5.2b1
v1.5.2b2
v1.5.2c1
v1.5a1
v1.5a2
v1.5a3
v1.5a4
v1.5b1
v1.5b2
v1.6a1
v1.6a2
v2.*
v2.0
v2.0b1
v2.0b2
v2.0c1
v2.1
v2.1a1
v2.1a2
v2.1b1
v2.1b2
v2.1c1
v2.1c2
v2.2a3
v2.3c1
v2.3c2
v2.4
v2.4a1
v2.4a2
v2.4a3
v2.4b1
v2.4b2
v2.4c1
v3.*
v3.0a1
v3.0a2
v3.0a3
v3.0a4
v3.0a5
v3.0b1
v3.0b2
v3.0b3
v3.0rc1
v3.0rc2
v3.0rc3
v3.1
v3.10.0a1
v3.10.0a7
v3.10.0b1
v3.10.0b2
v3.10.0b3
v3.10.0b4
v3.10.0rc1
v3.10.0rc2
v3.10.1
v3.10.10
v3.10.11
v3.10.12
v3.10.13
v3.10.14
v3.10.15
v3.10.16
v3.10.17
v3.10.18
v3.10.19
v3.10.2
v3.10.20
v3.10.3
v3.10.4
v3.10.5
v3.10.6
v3.10.7
v3.10.8
v3.10.9
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.11.0b2
v3.11.0b3
v3.11.0b4
v3.11.0b5
v3.11.0rc1
v3.11.0rc2
v3.11.1
v3.11.10
v3.11.11
v3.11.12
v3.11.13
v3.11.14
v3.11.15
v3.11.2
v3.11.3
v3.11.4
v3.11.5
v3.11.6
v3.11.7
v3.11.8
v3.11.9
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.13.0
v3.13.0a1
v3.13.0a2
v3.13.0a3
v3.13.0a4
v3.13.0a5
v3.13.0a6
v3.13.0b1
v3.13.0b2
v3.13.0b3
v3.13.0b4
v3.13.0rc1
v3.13.0rc2
v3.13.0rc3
v3.13.1
v3.13.10
v3.13.11
v3.13.12
v3.13.2
v3.13.3
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.14.0
v3.14.0a1
v3.14.0a2
v3.14.0a3
v3.14.0a4
v3.14.0a5
v3.14.0a6
v3.14.0a7
v3.14.0b1
v3.14.1
v3.14.2
v3.14.3
v3.15.0a1
v3.15.0a2
v3.15.0a3
v3.15.0a4
v3.15.0a5
v3.15.0a6
v3.1a1
v3.1a2
v3.1b1
v3.1rc1
v3.1rc2
v3.2a1
v3.2a2
v3.2a3
v3.2a4
v3.2b1
v3.2b2
v3.2rc1
v3.2rc2
v3.2rc3
v3.3.0a2
v3.3.0a3
v3.3.0a4
v3.3.0b1
v3.3.0b2
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.4.0a1
v3.4.0a2
v3.4.0a3
v3.4.0a4
v3.4.0b1
v3.4.0b2
v3.4.0b3
v3.5.0a1
v3.5.0a2
v3.5.0a3
v3.5.0a4
v3.5.0b1
v3.6.0a3
v3.6.0b1
v3.7.0a2
v3.9.0a2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-2297.json"