-------- Forwarded Message -------- Subject: [Security-announce][CVE-2026-2297] SourcelessFileLoader does not use io.open_code() Date: Wed, 4 Mar 2026 22:42:49 +0000 From: Seth Larson <[email protected]> Reply-To: [email protected] To: [email protected] There is a MEDIUM severity vulnerability affecting CPython. The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-2297 * https://github.com/python/cpython/pull/145507
