This security update addresses two Important-severity vulnerabilities in Python 3.11 for RHEL 9: CVE-2026-6100, a use-after-free flaw in decompression modules leading to arbitrary code execution or information disclosure, and CVE-2026-4786, a command injection vulnerability in the `webbrowser.open()` API allowing arbitrary code execution. The advisory provides updated packages to remediate the issues, specifically version `python3.11-3.11.13-5.3.el9_7` for the x86_64 architecture, with corresponding builds for other supported platforms.
Red Hat Product Errata RHSA-2026:10774 - Security Advisory Issued: 2026-04-27 Updated: 2026-04-27 RHSA-2026:10774 - Security Advisory Overview Updated Packages Synopsis Important: python3.11 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.11 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Fixes BZ - 2457932 - CVE-2026-6100 python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules BZ - 2458049 - CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API CVEs CVE-2026-4786 CVE-2026-6100 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM python3.11-3.11.13-5.3.el9_7.src.rpm SHA-256: 0da982a00babc5fde1ae9b3a0a7619f64869d1b07f3ee8e8fd1e70d0223dc367 x86_64 python3.11-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: dad5892bf1d6b92d51ffe5ee9687392674a76f6ae3b1fb8acb1330f984692751 python3.11-debuginfo-3.11.13-5.3.el9_7.i686.rpm SHA-256: b6b171fba92f9060542df1ca10f1341bc57faca175cf5e629e3050f3d503bf79 python3.11-debuginfo-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 64c306bbafef2d00d3ad7d41cdf9d88e12857b23a2e58b42d11f45cf54525fe6 python3.11-debugsource-3.11.13-5.3.el9_7.i686.rpm SHA-256: b48b421b875646f8f5061d83bdcce089cbcfa76c1d83e3abd6778e19ac17d33b python3.11-debugsource-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: ad9a8098799f19cc2ea06dd4a0a82987092756312b380884eb52cfb064bbad46 python3.11-devel-3.11.13-5.3.el9_7.i686.rpm SHA-256: da93d822ef1e395bb4c37fba345edcd72f327fb486689524b768b00420cb94d5 python3.11-devel-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: c3bd233c83795ff11881530fa827a86ef820453023822745a189b0e00818344a python3.11-libs-3.11.13-5.3.el9_7.i686.rpm SHA-256: d26a4390eb6cb498c4000afa42619a9cd747cdbff89cffc0dc2e0fd9f5afed52 python3.11-libs-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 826f73ad7f3b94058055645c6ab87d6bd1b13811389a9b638f0bc8fb93961b2c python3.11-tkinter-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 37a25127907d2ecba555ee59e5cf671084a4dae2f303592adb0168a446bbe482 Red Hat Enterprise Linux for IBM z Systems 9 SRPM python3.11-3.11.13-5.3.el9_7.src.rpm SHA-256: 0da982a00babc5fde1ae9b3a0a7619f64869d1b07f3ee8e8fd1e70d0223dc367 s390x python3.11-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 467d53c57a6642eecf25ec86ab1f84ee74a84a33d6cd6ccb7f4e3b25a2bd7a7e python3.11-debuginfo-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 1e9d65cc44698e940b6fbe39a2ae73d4295c508094dca18be959be1f7110b564 python3.11-debugsource-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 7145cd0d9fc71c5a2c38095dcce781bf124b6700a0ee612cfd978017eb3d05c2 python3.11-devel-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 1e4ff0c0e29dda7211f744efe648370cae564431ea59de920c2086447ed5b929 python3.11-libs-3.11.13-5.3.el9_7.s390x.rpm SHA-256: d90b02fbde3bd85cbef40e7733cb1e56b62abd949c7e6379b29b0d71acffc765 python3.11-tkinter-3.11.13-5.3.el9_7.s390x.rpm SHA-256: a7ec56941f1a49926280ef3e62b1ff110bafc3bfd648e7fea7dfba15eee6a3ef Red Hat Enterprise Linux for Power, little endian 9 SRPM python3.11-3.11.13-5.3.el9_7.src.rpm SHA-256: 0da982a00babc5fde1ae9b3a0a7619f64869d1b07f3ee8e8fd1e70d0223dc367 ppc64le python3.11-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 13b51be060a97d672f024365d52b1df69ebbfb271c14b0dda8275cdbb2b0cad8 python3.11-debuginfo-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: d76334b24d70694bf05cc756927089e43b97442d1f0a3d42866e8d7ecd031b04 python3.11-debugsource-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 0eb8a35ec82ea30cf59953e729c97131a1c33640e7dbb26106a49cbce505f0d7 python3.11-devel-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 49f4f2c75aef9472909363a0f770a8e9d5490f9c9ebc4559ac8d5291d82dee9c python3.11-libs-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 277f533b383e8c56e05f2e787c40586079576c18bb08398540628c9e2f26b24a python3.11-tkinter-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: d7c27e0f361553f45247c9c3f9bd0649cd02cfa02dec03a78ef8bb60d878e9d4 Red Hat Enterprise Linux for ARM 64 9 SRPM python3.11-3.11.13-5.3.el9_7.src.rpm SHA-256: 0da982a00babc5fde1ae9b3a0a7619f64869d1b07f3ee8e8fd1e70d0223dc367 aarch64 python3.11-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 72010cfe450a1aa1376f3cb91162f1e7475c93b77dda6b3855404087dfe365ed python3.11-debuginfo-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: c1b2799299ad5d44b7753a4d16e675ef5048098a0c7a998135fb2a4a2cae5291 python3.11-debugsource-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 168c678bff3e35db0948a0fdf0ad2a6b262c6ac68d78aaf91c9348368b01d6de python3.11-devel-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 7b138647499985aeea95f5576d9399c72e00afe2062bff8b3bfdfa90ca3a682f python3.11-libs-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 03697ce988307348080deb4ba19864862bec2275634ea34a703d598ed3fb7256 python3.11-tkinter-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: e146c4f65abb1198e1735ce08d12f8f820f51ae600ce2f06b2f2e98b94cc018e Red Hat CodeReady Linux Builder for x86_64 9 SRPM x86_64 python3.11-3.11.13-5.3.el9_7.i686.rpm SHA-256: 2a7139239086d4e827aa26e5279968d44b54656cdc5b2d3e819b7c563598d033 python3.11-debug-3.11.13-5.3.el9_7.i686.rpm SHA-256: 34e79175725c0d72aed7871d317b67bd6eea14acedba29e4021705006b510851 python3.11-debug-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 8d1001b3177d643e60fe9910963c27d4a70b68cfcd25300ba055258281ee7ab3 python3.11-debuginfo-3.11.13-5.3.el9_7.i686.rpm SHA-256: b6b171fba92f9060542df1ca10f1341bc57faca175cf5e629e3050f3d503bf79 python3.11-debuginfo-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 64c306bbafef2d00d3ad7d41cdf9d88e12857b23a2e58b42d11f45cf54525fe6 python3.11-debugsource-3.11.13-5.3.el9_7.i686.rpm SHA-256: b48b421b875646f8f5061d83bdcce089cbcfa76c1d83e3abd6778e19ac17d33b python3.11-debugsource-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: ad9a8098799f19cc2ea06dd4a0a82987092756312b380884eb52cfb064bbad46 python3.11-idle-3.11.13-5.3.el9_7.i686.rpm SHA-256: fa2832072707f2a3203a14744faf6ca40efc647e986f7ff61b7803f3f82fda4b python3.11-idle-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: 047dfd0af5914ff71d11150e3210e5fce46ed12747fb623590744dc5fd7a56e7 python3.11-test-3.11.13-5.3.el9_7.i686.rpm SHA-256: f8568bf63df4127bb4aa1486576b829ca730372c2d9247f257f803af8e54198d python3.11-test-3.11.13-5.3.el9_7.x86_64.rpm SHA-256: c778eed580b937875afcad089835aa12899733cf157eb2e0b964a1f85e379d0e python3.11-tkinter-3.11.13-5.3.el9_7.i686.rpm SHA-256: 77f812e9d96179a193087ca32fcc86b37244d760d63f486f4d411bbcae224e8c Red Hat CodeReady Linux Builder for Power, little endian 9 SRPM ppc64le python3.11-debug-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 000318f216059e819c4d4d8555a4ba71ec797e6cdef61d3199683d7ebf69223e python3.11-debuginfo-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: d76334b24d70694bf05cc756927089e43b97442d1f0a3d42866e8d7ecd031b04 python3.11-debugsource-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 0eb8a35ec82ea30cf59953e729c97131a1c33640e7dbb26106a49cbce505f0d7 python3.11-idle-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: 139e843893af2cebc0d699696e846126fdd86924dd7d6eeea25bc571500e42a6 python3.11-test-3.11.13-5.3.el9_7.ppc64le.rpm SHA-256: ad2f83c21d6cd3909cd0be5b31d0bc03934e32cc91d04923b5a394ae549e8e6a Red Hat CodeReady Linux Builder for ARM 64 9 SRPM aarch64 python3.11-debug-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: b81e1c7fa23b6a1a2c734120257c6b635fed3d0ca6b6cc9df12674be1c42337f python3.11-debuginfo-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: c1b2799299ad5d44b7753a4d16e675ef5048098a0c7a998135fb2a4a2cae5291 python3.11-debugsource-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 168c678bff3e35db0948a0fdf0ad2a6b262c6ac68d78aaf91c9348368b01d6de python3.11-idle-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 569318345d82fd693da034c717814369d1884a011f4a7dbb25afabeefe8f8d8c python3.11-test-3.11.13-5.3.el9_7.aarch64.rpm SHA-256: 6d3045236dc7f4001e3a88001fccd353c1fc298bbb6a1942058383ea78770d5c Red Hat CodeReady Linux Builder for IBM z Systems 9 SRPM s390x python3.11-debug-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 853331445fcc20b4701039712ae6f6f180cdfbb4946c78010a0a258429b40326 python3.11-debuginfo-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 1e9d65cc44698e940b6fbe39a2ae73d4295c508094dca18be959be1f7110b564 python3.11-debugsource-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 7145cd0d9fc71c5a2c38095dcce781bf124b6700a0ee612cfd978017eb3d05c2 python3.11-idle-3.11.13-5.3.el9_7.s390x.rpm SHA-256: 3cba5666d0565e9162fb70129308f0a9d513979402243d2bad8fbbb5455cbe40 p