CVE-2026-2297
Public on 2026-03-04
Modified on 2026-03-07
Description
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python | Not Affected | ||
| Amazon Linux 2 - Core | python3 | Not Affected | ||
| Amazon Linux 2023 | python3.11 | Pending Fix | ||
| Amazon Linux 2023 | python3.12 | Pending Fix | ||
| Amazon Linux 2023 | python3.13 | Pending Fix | ||
| Amazon Linux 2023 | python3.14 | Pending Fix | ||
| Amazon Linux 2023 | python3.9 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |