CVE-2026-2297 MEDIUM

CVE-2026-2297: SourcelessFileLoader does not use io.open_code()

Vendor Python Software Foundation
Product CPython
Published March 4, 2026
Last update May 1, 2026

CVSS base score

5.7/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
May 1, 2026 Record updated