The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. This means anyone who has hooked io.open_code() to do validation will be bypassed.
class FileLoader:
...
def get_data(self, path):
"""Return the data from path as raw bytes."""
if isinstance(self, (SourceLoader, ExtensionFileLoader)):
with _io.open_code(str(path)) as file:
return file.read()
else:
with _io.FileIO(path, 'r') as file:
return file.read()The SourcelessFileLoader subclass doesn't get caught by the isinstance() call, because it's neither of the classes listed. It should have SourcelessFileLoader added to the tuple.
This import hook is enabled by default, though the SourceFileLoader is higher priority, and it does correctly use io.open_code().
Legacy *.pyc files may be used if a user has precompiled their sources and then removed the source code. Under default configuration, it will never be used.
I didn't find any GitHub results that were actual uses, though I expected they'd all be private forks anyway, so I think the impact is going to be very low. The fix is trivial, but this is also easily exploitable if it's the sole security measure - for any module that's going to be imported, put its .pyc earlier on the search path and that'll be picked first without verification.
(This has already been reviewed by the PSRT and assigned CVE-2026-2297. The issue is just to get the fix merged.)
Linked PRs
The import hook in CPython that handles legacy
*.pycfiles (SourcelessFileLoader) is incorrectly handled inFileLoader(a base class) and so does not useio.open_code()to read the.pycfiles. This means anyone who has hookedio.open_code()to do validation will be bypassed.The
SourcelessFileLoadersubclass doesn't get caught by theisinstance()call, because it's neither of the classes listed. It should haveSourcelessFileLoaderadded to the tuple.This import hook is enabled by default, though the
SourceFileLoaderis higher priority, and it does correctly useio.open_code().Legacy
*.pycfiles may be used if a user has precompiled their sources and then removed the source code. Under default configuration, it will never be used.I didn't find any GitHub results that were actual uses, though I expected they'd all be private forks anyway, so I think the impact is going to be very low. The fix is trivial, but this is also easily exploitable if it's the sole security measure - for any module that's going to be imported, put its
.pycearlier on the search path and that'll be picked first without verification.(This has already been reviewed by the PSRT and assigned CVE-2026-2297. The issue is just to get the fix merged.)
Linked PRs