[osgeo4w-dev] [osgeo4w] #917: QGIS LTR and prior versions - Python - vunerability
OSGeo4W
trac_osgeo4w at osgeo.org
Thu Apr 16 06:53:09 PDT 2026
#917: QGIS LTR and prior versions - Python - vunerability
----------------------+---------------------------
Reporter: timboqgis | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: normal | Component: Package
Version: | Keywords: Python
----------------------+---------------------------
As of the 11/04/2026 - Microsoft Defender has found all current and prior
versions of QGIS to now be vunerable to CVE-2026-6100 with the bundled
Python (currently 3.12.13) but covers all Python versions up to 3.15.0.
A use-after-free (UAF) vulnerability exists in Python's
`lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile`
modules. This issue occurs when a memory allocation fails with a
`MemoryError` and the decompression instance is reused across multiple
decompression calls. The vulnerability is triggered under memory pressure
conditions and can lead to application crashes or arbitrary code
execution. Helper functions such as `lzma.decompress()`,
`bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not
affected as they create new decompressor instances for each call.
Exploitation of this vulnerability can result in application crashes or
arbitrary code execution, posing a significant risk to system integrity
and security.
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/917>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
More information about the osgeo4w-dev
mailing list