Red Hat Product Errata RHSA-2026:19064 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19064 - Security Advisory Overview Updated Packages Synopsis Important: python3.12 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.12 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375) python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075) cpython: Out-of-memory when loading Plist (CVE-2025-13837) cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282) cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672) cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.2 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.2 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2395108 - CVE-2025-59375 firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing BZ - 2408891 - CVE-2025-6075 python: Quadratic complexity in os.path.expandvars() with user-controlled template BZ - 2418084 - CVE-2025-13837 cpython: Out-of-memory when loading Plist BZ - 2431366 - CVE-2025-15282 cpython: Header injection via newlines in data URL mediatype in Python BZ - 2431374 - CVE-2026-0672 cpython: Header injection in http.cookies.Morsel in Python BZ - 2444691 - CVE-2026-2297 cpython: CPython: Logging Bypass in Legacy .pyc File Handling BZ - 2448168 - CVE-2026-3644 cpython: Incomplete control character validation in http.cookies BZ - 2448181 - CVE-2026-4224 cpython: Stack overflow parsing XML with deeply nested DTD content models BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs BZ - 2457409 - CVE-2026-1502 python: Python: HTTP header injection via CR/LF in proxy tunnel headers BZ - 2457932 - CVE-2026-6100 python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules BZ - 2458049 - CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API CVEs CVE-2025-6075 CVE-2025-13837 CVE-2025-15282 CVE-2025-59375 CVE-2026-0672 CVE-2026-1502 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6100 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM python3.12-3.12.13-2.el10_2.src.rpm SHA-256: 34f1e01197926cf8545d30f7ace0e9006327f6d6c1e0e279d4652152ca67a30b x86_64 python-unversioned-command-3.12.13-2.el10_2.noarch.rpm SHA-256: 8694819e4040b7542ed9f330e2aee5e8d77e2438535cc23bc6477aa94ebf7de2 python3-3.12.13-2.el10_2.x86_64.rpm SHA-256: 66a916d4e5d58bdebf73eaa36bc0c3d397d69734315f0f86b1150e13ec311ecb python3-devel-3.12.13-2.el10_2.x86_64.rpm SHA-256: 95ee2f1e333bc2ea08b3b98a7365b5b0abd0fa1cd43478f8c36c8af7eba113d4 python3-libs-3.12.13-2.el10_2.x86_64.rpm SHA-256: b85f69ba84855cb7288dbff6fc4dfe15a12c20cf93c5e49be711864affb87d39 python3-tkinter-3.12.13-2.el10_2.x86_64.rpm SHA-256: 8fe48dab9fc0015b31dde8fc04ffcd39257cc544b2c700164ec8fffd7bfd3c1d python3.12-debuginfo-3.12.13-2.el10_2.x86_64.rpm SHA-256: e5677eff9d83a56ae047b6981f58926f64b98302f57b34bd84efebebfa8189b2 python3.12-debuginfo-3.12.13-2.el10_2.x86_64.rpm SHA-256: e5677eff9d83a56ae047b6981f58926f64b98302f57b34bd84efebebfa8189b2 python3.12-debugsource-3.12.13-2.el10_2.x86_64.rpm SHA-256: 20a92c97c1346141383acd3e39be75f94e47bebd4a30d62be857ca299be35149 python3.12-debugsource-3.12.13-2.el10_2.x86_64.rpm SHA-256: 20a92c97c1346141383acd3e39be75f94e47bebd4a30d62be857ca299be35149 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM python3.12-3.12.13-2.el10_2.src.rpm SHA-256: 34f1e01197926cf8545d30f7ace0e9006327f6d6c1e0e279d4652152ca67a30b x86_64 python-unversioned-command-3.12.13-2.el10_2.noarch.rpm SHA-256: 8694819e4040b7542ed9f330e2aee5e8d77e2438535cc23bc6477aa94ebf7de2 python3-3.12.13-2.el10_2.x86_64.rpm SHA-256: 66a916d4e5d58bdebf73eaa36bc0c3d397d69734315f0f86b1150e13ec311ecb python3-devel-3.12.13-2.el10_2.x86_64.rpm SHA-256: 95ee2f1e333bc2ea08b3b98a7365b5b0abd0fa1cd43478f8c36c8af7eba113d4 python3-libs-3.12.13-2.el10_2.x86_64.rpm SHA-256: b85f69ba84855cb7288dbff6fc4dfe15a12c20cf93c5e49be711864affb87d39 python3-tkinter-3.12.13-2.el10_2.x86_64.rpm SHA-256: 8fe48dab9fc0015b31dde8fc04ffcd39257cc544b2c700164ec8fffd7bfd3c1d python3.12-debuginfo-3.12.13-2.el10_2.x86_64.rpm SHA-256: e5677eff9d83a56ae047b6981f58926f64b98302f57b34bd84efebebfa8189b2 python3.12-debuginfo-3.12.13-2.el10_2.x86_64.rpm SHA-256: e5677eff9d83a56ae047b6981f58926f64b98302f57b34bd84efebebfa8189b2 python3.12-debugsource-3.12.13-2.el10_2.x86_64.rpm SHA-256: 20a92c97c1346141383acd3e39be75f94e47bebd4a30d62be857ca299be35149 python3.12-debugsource-3.12.13-2.el10_2.x86_64.rpm SHA-256: 20a92c97c1346141383acd3e39be75f94e47bebd4a30d62be857ca299be35149 Red Hat Enterprise Linux for IBM z Systems 10 SRPM python3.12-3.12.13-2.el10_2.src.rpm SHA-256: 34f1e01197926cf8545d30f7ace0e9006327f6d6c1e0e279d4652152ca67a30b s390x python-unversioned-command-3.12.13-2.el10_2.noarch.rpm SHA-256: 8694819e4040b7542ed9f330e2aee5e8d77e2438535cc23bc6477aa94ebf7de2 python3-3.12.13-2.el10_2.s390x.rpm SHA-256: 4404d162e606234ae79a55a34d1b9c04e4172e177935522994d1e2138fd25d54 python3-devel-3.12.13-2.el10_2.s390x.rpm SHA-256: 274dd82b3fac9ee12fe73ab35ddfb8383277190f942617255f782a5aab48c5d2 python3-libs-3.12.13-2.el10_2.s390x.rpm SHA-256: e7fff3a5ddfb2243af79b2c5723f0470b7176b412794e1fb0e99582b61364c8d python3-tkinter-3.12.13-2.el10_2.s390x.rpm SHA-256: c64ba3b425f22256aa48c02e2a4f2d9d0697af6fe3d368aff3a31a53ec172462 python3.12-debuginfo-3.12.13-2.el10_2.s390x.rpm SHA-256: d7dc537ea908a402ebae14accd5df92e261ea76ae74a2e7c66b6d5a9608b6fc4 python3.12-debuginfo-3.12.13-2.el10_2.s390x.rpm SHA-256: d7dc537ea908a402ebae14accd5df92e261ea76ae74a2e7c66b6d5a9608b6fc4 python3.12-debugsource-3.12.13-2.el10_2.s390x.rpm SHA-256: f2157430ffec0e7a321a8bcb702147892dfb0d6b412cde826ffb9ae251f7b8ea python3.12-debugsource-3.12.13-2.el10_2.s390x.rpm SHA-256: f2157430ffec0e7a321a8bcb702147892dfb0d6b412cde826ffb9ae251f7b8ea Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 SRPM python3.12-3.12.13-2.el10_2.src.rpm SHA-256: 34f1e01197926cf8545d30f7ace0e9006327f6d6c1e0e279d4652152ca67a30b s390x python-unversioned-command-3.12.13-2.el10_2.noarch.rpm SHA-256: 8694819e4040b7542ed9f330e2aee5e8d77e24385