Red Hat Product Errata RHSA-2026:19019 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19019 - Security Advisory Overview Updated Packages Synopsis Important: python3.14 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.14 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.2 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.2 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2431367 - CVE-2026-0865 cpython: wsgiref.headers.Headers allows header newline injection in Python BZ - 2444691 - CVE-2026-2297 cpython: CPython: Logging Bypass in Legacy .pyc File Handling BZ - 2448168 - CVE-2026-3644 cpython: Incomplete control character validation in http.cookies BZ - 2448181 - CVE-2026-4224 cpython: Stack overflow parsing XML with deeply nested DTD content models BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs BZ - 2457409 - CVE-2026-1502 python: Python: HTTP header injection via CR/LF in proxy tunnel headers BZ - 2457932 - CVE-2026-6100 python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules BZ - 2458049 - CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API BZ - 2458239 - CVE-2026-5713 python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. CVEs CVE-2026-0865 CVE-2026-1502 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-5713 CVE-2026-6100 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 x86_64 python3.14-3.14.4-2.el10_2.x86_64.rpm SHA-256: 70f5e7aeb791cade7a3203719bc9462e45f49336866de3712a72899a3657a8fb python3.14-debuginfo-3.14.4-2.el10_2.x86_64.rpm SHA-256: 5cf0779e909ae6a2be7d2bc182c3599b2254d3d3963fcd3a969f4de74b97c838 python3.14-debugsource-3.14.4-2.el10_2.x86_64.rpm SHA-256: afa927429979c0d10cba5f50103983b737caee834c967bce91521b05f64e1c4a python3.14-devel-3.14.4-2.el10_2.x86_64.rpm SHA-256: 151f35cfa1f01037f26d0220e9b8e8b279428f16ffce263b78e621687a4dfd46 python3.14-libs-3.14.4-2.el10_2.x86_64.rpm SHA-256: 83ad78eb47dc62a97356f1b62c97b4bdcef9fe2ff0e0b12a87b234e33c2f7dcc python3.14-tkinter-3.14.4-2.el10_2.x86_64.rpm SHA-256: 97585b7ebd2724f8a421843ed3cb44d2437d65f6df6ec0eb8662a4aefc1aaa9c Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 x86_64 python3.14-3.14.4-2.el10_2.x86_64.rpm SHA-256: 70f5e7aeb791cade7a3203719bc9462e45f49336866de3712a72899a3657a8fb python3.14-debuginfo-3.14.4-2.el10_2.x86_64.rpm SHA-256: 5cf0779e909ae6a2be7d2bc182c3599b2254d3d3963fcd3a969f4de74b97c838 python3.14-debugsource-3.14.4-2.el10_2.x86_64.rpm SHA-256: afa927429979c0d10cba5f50103983b737caee834c967bce91521b05f64e1c4a python3.14-devel-3.14.4-2.el10_2.x86_64.rpm SHA-256: 151f35cfa1f01037f26d0220e9b8e8b279428f16ffce263b78e621687a4dfd46 python3.14-libs-3.14.4-2.el10_2.x86_64.rpm SHA-256: 83ad78eb47dc62a97356f1b62c97b4bdcef9fe2ff0e0b12a87b234e33c2f7dcc python3.14-tkinter-3.14.4-2.el10_2.x86_64.rpm SHA-256: 97585b7ebd2724f8a421843ed3cb44d2437d65f6df6ec0eb8662a4aefc1aaa9c Red Hat Enterprise Linux for IBM z Systems 10 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 s390x python3.14-3.14.4-2.el10_2.s390x.rpm SHA-256: 7b60026c14ee31f5e94d02417b7211cb964ff32d336cc8ad7c3974886753b156 python3.14-debuginfo-3.14.4-2.el10_2.s390x.rpm SHA-256: 07075037583c53e90fc1b74be62711c110e1b7823bcb176ba99406317bc33685 python3.14-debugsource-3.14.4-2.el10_2.s390x.rpm SHA-256: 7b4e504b5e3b0a36f1905524569b970c37b1d7575ad69fd5ee800b771c5235df python3.14-devel-3.14.4-2.el10_2.s390x.rpm SHA-256: 3cdb5d973ba1afd7edc498f321604d943c326c888856c2c1d7a2e293d37e7949 python3.14-libs-3.14.4-2.el10_2.s390x.rpm SHA-256: 3145e03d4316162830c8e7bea0282cadf671e7594d42d95d4940073b1c3bafa3 python3.14-tkinter-3.14.4-2.el10_2.s390x.rpm SHA-256: 2dd33fd27f2aea40f30c2c848bb74389221ffc7be5699cb2ab72aacfc1316dbf Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 s390x python3.14-3.14.4-2.el10_2.s390x.rpm SHA-256: 7b60026c14ee31f5e94d02417b7211cb964ff32d336cc8ad7c3974886753b156 python3.14-debuginfo-3.14.4-2.el10_2.s390x.rpm SHA-256: 07075037583c53e90fc1b74be62711c110e1b7823bcb176ba99406317bc33685 python3.14-debugsource-3.14.4-2.el10_2.s390x.rpm SHA-256: 7b4e504b5e3b0a36f1905524569b970c37b1d7575ad69fd5ee800b771c5235df python3.14-devel-3.14.4-2.el10_2.s390x.rpm SHA-256: 3cdb5d973ba1afd7edc498f321604d943c326c888856c2c1d7a2e293d37e7949 python3.14-libs-3.14.4-2.el10_2.s390x.rpm SHA-256: 3145e03d4316162830c8e7bea0282cadf671e7594d42d95d4940073b1c3bafa3 python3.14-tkinter-3.14.4-2.el10_2.s390x.rpm SHA-256: 2dd33fd27f2aea40f30c2c848bb74389221ffc7be5699cb2ab72aacfc1316dbf Red Hat Enterprise Linux for Power, little endian 10 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 ppc64le python3.14-3.14.4-2.el10_2.ppc64le.rpm SHA-256: 70c08abd2410b1968f9dcb8a3366db69f6dc3999e6a476a4e27eba10e1561dcc python3.14-debuginfo-3.14.4-2.el10_2.ppc64le.rpm SHA-256: c37af410f8590b86a4765f9128391951f50e0e676324b2ffebe61127cc810ffa python3.14-debugsource-3.14.4-2.el10_2.ppc64le.rpm SHA-256: 8973b020510ddb075fbbf316f80203635d51dd4dcc303a262cd427ada6e4bdc3 python3.14-devel-3.14.4-2.el10_2.ppc64le.rpm SHA-256: 37a7331d63fee95256393cf42e4ca7adcee0a88efa54567d56fa806b0d7a0910 python3.14-libs-3.14.4-2.el10_2.ppc64le.rpm SHA-256: c6e90a964d6914592cdbc534948937618759002ac1b9d795d97e4ac92668ed1b python3.14-tkinter-3.14.4-2.el10_2.ppc64le.rpm SHA-256: 37b38367a80e8d68338f0cabf24488e0f22b80280c568fed555276c033d35684 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 SRPM python3.14-3.14.4-2.el10_2.src.rpm SHA-256: 947f4e63d6bda2ddd67b475ff0b6352c2454401e300e5f39495a7a9b37cfcc99 ppc64le python3.14-3.14.4-2.el10_2.p