Red Hat Product Errata RHSA-2026:19177 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19177 - Security Advisory Overview Updated Packages Synopsis Important: python3.12 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.12 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing (CVE-2025-59375) python: Quadratic complexity in os.path.expandvars() with user-controlled template (CVE-2025-6075) cpython: Out-of-memory when loading Plist (CVE-2025-13837) cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282) cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672) cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.8 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2395108 - CVE-2025-59375 firefox: thunderbird: expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing BZ - 2408891 - CVE-2025-6075 python: Quadratic complexity in os.path.expandvars() with user-controlled template BZ - 2418084 - CVE-2025-13837 cpython: Out-of-memory when loading Plist BZ - 2431366 - CVE-2025-15282 cpython: Header injection via newlines in data URL mediatype in Python BZ - 2431374 - CVE-2026-0672 cpython: Header injection in http.cookies.Morsel in Python BZ - 2444691 - CVE-2026-2297 cpython: CPython: Logging Bypass in Legacy .pyc File Handling BZ - 2448168 - CVE-2026-3644 cpython: Incomplete control character validation in http.cookies BZ - 2448181 - CVE-2026-4224 cpython: Stack overflow parsing XML with deeply nested DTD content models BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs BZ - 2457409 - CVE-2026-1502 python: Python: HTTP header injection via CR/LF in proxy tunnel headers BZ - 2457932 - CVE-2026-6100 python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules BZ - 2458049 - CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API CVEs CVE-2025-6075 CVE-2025-13837 CVE-2025-15282 CVE-2025-59375 CVE-2026-0672 CVE-2026-1502 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6100 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM python3.12-3.12.13-2.el9_8.src.rpm SHA-256: f3e4be91674b9c6a6bb47bea8c2934e01caa947c5be7ce6c98fdb61296fbc1ee x86_64 python3.12-3.12.13-2.el9_8.x86_64.rpm SHA-256: b534b3693ac5571ace6bcbeb0c65e7bf3d9e326bc622c7fac51015d32b45d216 python3.12-debuginfo-3.12.13-2.el9_8.i686.rpm SHA-256: bf22f4ec571b8d8ddc9338723268b1cc6defff0d136dc2fb6a3ec81279bcd6d0 python3.12-debuginfo-3.12.13-2.el9_8.x86_64.rpm SHA-256: ca551ed86550b57fa83663360b4dbcd1af3102637502a5db7cfead65bd6c88b8 python3.12-debugsource-3.12.13-2.el9_8.i686.rpm SHA-256: 51740bed58d5603914089a9626b510a97d9666396c5091671528642bc4149892 python3.12-debugsource-3.12.13-2.el9_8.x86_64.rpm SHA-256: aa3470763c84b8be0d2687b0f33decca33a536b9063d0bf9c3edba7acedadeb4 python3.12-devel-3.12.13-2.el9_8.i686.rpm SHA-256: 9d7bd4a63d07fc9529b565b5fa438e456bc8c3dd4fd52625a026748d6fc9378f python3.12-devel-3.12.13-2.el9_8.x86_64.rpm SHA-256: 19862bcc0babbb7ea4a876073e26d74258f102c4d0672d26c53b118de200d3ed python3.12-libs-3.12.13-2.el9_8.i686.rpm SHA-256: 9b6217c0dc7436f90933486a3a950febaa0634c1e056ce41a0f935f9639c9642 python3.12-libs-3.12.13-2.el9_8.x86_64.rpm SHA-256: 16baa9a7786c1cba3707593a61b12aae9134e4303670e218fc8a94f8d5db08b5 python3.12-tkinter-3.12.13-2.el9_8.x86_64.rpm SHA-256: 628985544200ba0698e97a45baa41c30432710920d13dbcf14e9e2a0947526d7 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM python3.12-3.12.13-2.el9_8.src.rpm SHA-256: f3e4be91674b9c6a6bb47bea8c2934e01caa947c5be7ce6c98fdb61296fbc1ee x86_64 python3.12-3.12.13-2.el9_8.x86_64.rpm SHA-256: b534b3693ac5571ace6bcbeb0c65e7bf3d9e326bc622c7fac51015d32b45d216 python3.12-debuginfo-3.12.13-2.el9_8.i686.rpm SHA-256: bf22f4ec571b8d8ddc9338723268b1cc6defff0d136dc2fb6a3ec81279bcd6d0 python3.12-debuginfo-3.12.13-2.el9_8.x86_64.rpm SHA-256: ca551ed86550b57fa83663360b4dbcd1af3102637502a5db7cfead65bd6c88b8 python3.12-debugsource-3.12.13-2.el9_8.i686.rpm SHA-256: 51740bed58d5603914089a9626b510a97d9666396c5091671528642bc4149892 python3.12-debugsource-3.12.13-2.el9_8.x86_64.rpm SHA-256: aa3470763c84b8be0d2687b0f33decca33a536b9063d0bf9c3edba7acedadeb4 python3.12-devel-3.12.13-2.el9_8.i686.rpm SHA-256: 9d7bd4a63d07fc9529b565b5fa438e456bc8c3dd4fd52625a026748d6fc9378f python3.12-devel-3.12.13-2.el9_8.x86_64.rpm SHA-256: 19862bcc0babbb7ea4a876073e26d74258f102c4d0672d26c53b118de200d3ed python3.12-libs-3.12.13-2.el9_8.i686.rpm SHA-256: 9b6217c0dc7436f90933486a3a950febaa0634c1e056ce41a0f935f9639c9642 python3.12-libs-3.12.13-2.el9_8.x86_64.rpm SHA-256: 16baa9a7786c1cba3707593a61b12aae9134e4303670e218fc8a94f8d5db08b5 python3.12-tkinter-3.12.13-2.el9_8.x86_64.rpm SHA-256: 628985544200ba0698e97a45baa41c30432710920d13dbcf14e9e2a0947526d7 Red Hat Enterprise Linux for IBM z Systems 9 SRPM python3.12-3.12.13-2.el9_8.src.rpm SHA-256: f3e4be91674b9c6a6bb47bea8c2934e01caa947c5be7ce6c98fdb61296fbc1ee s390x python3.12-3.12.13-2.el9_8.s390x.rpm SHA-256: d671a54fd29454af8f897f62eae59fa8e79ef4c898401212a74218cd03e641c4 python3.12-debuginfo-3.12.13-2.el9_8.s390x.rpm SHA-256: a7ac8ec1a973f94d89e9fcdefca090dfb0107abbdf83ef8c032b6121a0259b99 python3.12-debugsource-3.12.13-2.el9_8.s390x.rpm SHA-256: 7a7b62250f8bb11eceea920652a019cf46f194cc9ba404c3f2915bf4ad4bf954 python3.12-devel-3.12.13-2.el9_8.s390x.rpm SHA-256: 3653baa0deb0d0a03f86784091c7c03ab4d5d691501416cdd630fc84a67f5e6c python3.12-libs-3.12.13-2.el9_8.s390x.rpm SHA-256: e688d7a1f32c8fd2054b82dc285f94a6b0536a94eadc7898b272d81c770e6efe python3.12-tkinter-3.12.13-2.el9_8.s390x.rpm SHA-256: 920114c12f5624dd6e221e6a8c870e149413cff6c77a8c05f644161b1224d85e Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 SRPM python3.12-3.12.13-2.el9_8.src.rpm SHA-256: f3e4be91674b9c6a6bb47bea8c2934e01caa947c5be7ce6c98fdb61296fbc1ee s390x python3.12-3.12.13-2.el9_8.s390x.rpm SHA-256: d671a54fd29454af8f897f62eae59fa8e79ef4c898401212a74218cd03e641c4 python3.12-debuginfo-3.12.13-2.el9_8.s390x.rpm SHA-256: a7ac8ec1a973f94d89e9fcdefca090dfb0107abbdf83ef8c032b6121a0259b99 python3.12-debugsource-3.12.13-2.el9_8.s390x.r