zipimporter overflow


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Heap overflow in zipimporter module.


  • Disclosure date: 2016-01-21 (Python issue bpo-26171 reported)

Fixed In

Python issue

heap overflow in zipimporter module.

  • Python issue: bpo-26171
  • Creation date: 2016-01-21
  • Reporter: Insu Yun


Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.


Timeline using the disclosure date 2016-01-21 as reference: