Fwd: [CVE-2026-2297] SourcelessFileLoader does not use io.open_code()

[Alan Coopersmith <alan.coopersmith () oracle com>]

-------- Forwarded Message --------
Subject:        [Security-announce][CVE-2026-2297] SourcelessFileLoader does not use io.open_code()
Date:   Wed, 4 Mar 2026 22:42:49 +0000
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



There is a MEDIUM severity vulnerability affecting CPython.

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader 
(a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event 
therefore do not fire.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-2297

* https://github.com/python/cpython/pull/145507