Red Hat Product Errata RHSA-2026:13670 - Security Advisory Issued: 2026-05-05 Updated: 2026-05-05 RHSA-2026:13670 - Security Advisory Overview Updated Packages Synopsis Moderate: python-tornado security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python-tornado is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958) tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Fixes BZ - 2446765 - CVE-2026-31958 tornado-python: Tornado: Denial of Service via large multipart bodies BZ - 2454716 - CVE-2026-35536 tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments CVEs CVE-2026-31958 CVE-2026-35536 References https://access.redhat.com/security/updates/classification/#moderate Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM python-tornado-6.5.5-1.el9_7.1.src.rpm SHA-256: b3803a7b366d2b67c0fa40862b6bd08722e556d90ea1c3b8f6a9308ff87d36f3 x86_64 python-tornado-debugsource-6.5.5-1.el9_7.1.x86_64.rpm SHA-256: fcf6d02d77874b8a82dbc3dc38de58d476c2ac039ddd887ad5c0496178255f27 python3-tornado-6.5.5-1.el9_7.1.x86_64.rpm SHA-256: 43923482ce961cb7aee44e4d933f216fda88ed7510baa46a92cd416cc0cc92db python3-tornado-debuginfo-6.5.5-1.el9_7.1.x86_64.rpm SHA-256: 0fe59006039646930a494c9f16c89b800d8dd9f312ac6db1e9e54b12f51b1ef0 Red Hat Enterprise Linux for IBM z Systems 9 SRPM python-tornado-6.5.5-1.el9_7.1.src.rpm SHA-256: b3803a7b366d2b67c0fa40862b6bd08722e556d90ea1c3b8f6a9308ff87d36f3 s390x python-tornado-debugsource-6.5.5-1.el9_7.1.s390x.rpm SHA-256: 8446324d25649f04b003c3b9afabaf06d7dac22d87ba6caf0b7375eab7ccb1f7 python3-tornado-6.5.5-1.el9_7.1.s390x.rpm SHA-256: 5c006deb3543a044ab0a2fd90368226010b824e4bcd433f770567694239037b5 python3-tornado-debuginfo-6.5.5-1.el9_7.1.s390x.rpm SHA-256: 568a5b3a2e8d1f6e733f0793df8d0bceb1a5f470b46f33bfaa80dcbf94965828 Red Hat Enterprise Linux for Power, little endian 9 SRPM python-tornado-6.5.5-1.el9_7.1.src.rpm SHA-256: b3803a7b366d2b67c0fa40862b6bd08722e556d90ea1c3b8f6a9308ff87d36f3 ppc64le python-tornado-debugsource-6.5.5-1.el9_7.1.ppc64le.rpm SHA-256: 43e6f4af4d87491dd05d39420aacaa69a0893426a0187439da35e0559d8ed65b python3-tornado-6.5.5-1.el9_7.1.ppc64le.rpm SHA-256: a2348ec1cfc4687a89df656c94226dba4798c40f0133cfd77fc2c9368dea2f88 python3-tornado-debuginfo-6.5.5-1.el9_7.1.ppc64le.rpm SHA-256: 6529ce42862c88ff05294ddfb51ae5e05b0859afef8968d5063f6e4b7b21955c Red Hat Enterprise Linux for ARM 64 9 SRPM python-tornado-6.5.5-1.el9_7.1.src.rpm SHA-256: b3803a7b366d2b67c0fa40862b6bd08722e556d90ea1c3b8f6a9308ff87d36f3 aarch64 python-tornado-debugsource-6.5.5-1.el9_7.1.aarch64.rpm SHA-256: f913fca550413e8292f9bccd4623231a4fd1d0db4a64311b0eb1d1885b4c5f07 python3-tornado-6.5.5-1.el9_7.1.aarch64.rpm SHA-256: 597a51c711a4de5dc71bd71bf49ae20e2607076c09d695e548eb180c559676a3 python3-tornado-debuginfo-6.5.5-1.el9_7.1.aarch64.rpm SHA-256: 21ad351fccc01bae7beabe342ca19f12d39b56b010ab4785f7327fdb0f325084 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .