{ "threat_severity" : "Low", "public_date" : "2026-03-04T22:10:43Z", "bugzilla" : { "description" : "cpython: CPython: Logging Bypass in Legacy .pyc File Handling", "id" : "2444691", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2444691" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-778", "details" : [ "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "A flaw was found in CPython. This vulnerability allows a local user with low privileges to bypass security auditing mechanisms. The issue occurs because the SourcelessFileLoader component, responsible for handling older Python compiled files (.pyc), does not properly trigger system audit events. This oversight could enable malicious activities to go undetected, compromising the integrity of the system." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19019", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "python3.14-0:3.14.4-2.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19064", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "python3.12-0:3.12.13-2.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10950", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3.12-0:3.12.13-2.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19176", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.14-0:3.14.4-2.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19177", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.12-0:3.12.13-2.el9_8" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7443", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-13-main-3.13.13-1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-11T00:00:00Z", "advisory" : "RHSA-2026:7661", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-14-main-3.14.4-1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8822", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-11-main-3.11.15-4.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8824", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-12-main-3.12.13-3.hum1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "python3", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "python3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "python3.11", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "python36:3.6/python36", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "python39-devel:3.9/python39", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "python3.11", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "python3.9", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-aws-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-azure-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-gcp-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-2297\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2297\nhttps://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e\nhttps://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e\nhttps://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86\nhttps://github.com/python/cpython/issues/145506\nhttps://github.com/python/cpython/pull/145507" ], "name" : "CVE-2026-2297", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }