Red Hat Product Errata RHSA-2026:19176 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19176 - Security Advisory Overview Updated Packages Synopsis Important: python3.14 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.14 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.8 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2431367 - CVE-2026-0865 cpython: wsgiref.headers.Headers allows header newline injection in Python BZ - 2444691 - CVE-2026-2297 cpython: CPython: Logging Bypass in Legacy .pyc File Handling BZ - 2448168 - CVE-2026-3644 cpython: Incomplete control character validation in http.cookies BZ - 2448181 - CVE-2026-4224 cpython: Stack overflow parsing XML with deeply nested DTD content models BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs BZ - 2457409 - CVE-2026-1502 python: Python: HTTP header injection via CR/LF in proxy tunnel headers BZ - 2457932 - CVE-2026-6100 python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules BZ - 2458049 - CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API BZ - 2458239 - CVE-2026-5713 python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. CVEs CVE-2026-0865 CVE-2026-1502 CVE-2026-2297 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-5713 CVE-2026-6100 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM python3.14-3.14.4-2.el9_8.src.rpm SHA-256: 01f5e9663dd00b1804a73d62b39e663149e7e22ffd5f31446f5390133a971af8 x86_64 python3.14-3.14.4-2.el9_8.x86_64.rpm SHA-256: 04ba4559a5ae0d6ffad1814015a3f95e6330d4780df5afaee0648092536a4879 python3.14-debuginfo-3.14.4-2.el9_8.i686.rpm SHA-256: 38904ca1bad12ef9913c03493a54b360ec4ef58530298f342c9cf96b6bfdcfd0 python3.14-debuginfo-3.14.4-2.el9_8.x86_64.rpm SHA-256: 074cff9fc4695660f19a512c535a652223aa7a26f43d230f5ff94b1833f40bea python3.14-debugsource-3.14.4-2.el9_8.i686.rpm SHA-256: 9c61889c7a39084cb64b8e121a00ec194fb5ee9175a5b51c8f60ef52a5781df7 python3.14-debugsource-3.14.4-2.el9_8.x86_64.rpm SHA-256: 8a09b1fc823ecb3edf3acb6124cc194c5a24af62424771741679805373cf431b python3.14-devel-3.14.4-2.el9_8.i686.rpm SHA-256: 7006d0c114ffbf0d4ca87e29e55fc39b852db4f4992a7e8ee3b4d3f2f5c260b6 python3.14-devel-3.14.4-2.el9_8.x86_64.rpm SHA-256: 684594b8da5608ecae0671bcbdf152aeea06625e5d54c413f97f871c7143b8d4 python3.14-libs-3.14.4-2.el9_8.i686.rpm SHA-256: 0648c007d3ed048df2079c2136a1b67137077386d11fe25329d7c5f60793ca5e python3.14-libs-3.14.4-2.el9_8.x86_64.rpm SHA-256: d32507f611080107a512036327b5c789daf622dba14d316b4d918c5905c2b99b python3.14-tkinter-3.14.4-2.el9_8.x86_64.rpm SHA-256: 71f9a4c2f6525c5b76a54f2c1ab9f3ef022190a419ac214a61ad95d2374a0fca Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM python3.14-3.14.4-2.el9_8.src.rpm SHA-256: 01f5e9663dd00b1804a73d62b39e663149e7e22ffd5f31446f5390133a971af8 x86_64 python3.14-3.14.4-2.el9_8.x86_64.rpm SHA-256: 04ba4559a5ae0d6ffad1814015a3f95e6330d4780df5afaee0648092536a4879 python3.14-debuginfo-3.14.4-2.el9_8.i686.rpm SHA-256: 38904ca1bad12ef9913c03493a54b360ec4ef58530298f342c9cf96b6bfdcfd0 python3.14-debuginfo-3.14.4-2.el9_8.x86_64.rpm SHA-256: 074cff9fc4695660f19a512c535a652223aa7a26f43d230f5ff94b1833f40bea python3.14-debugsource-3.14.4-2.el9_8.i686.rpm SHA-256: 9c61889c7a39084cb64b8e121a00ec194fb5ee9175a5b51c8f60ef52a5781df7 python3.14-debugsource-3.14.4-2.el9_8.x86_64.rpm SHA-256: 8a09b1fc823ecb3edf3acb6124cc194c5a24af62424771741679805373cf431b python3.14-devel-3.14.4-2.el9_8.i686.rpm SHA-256: 7006d0c114ffbf0d4ca87e29e55fc39b852db4f4992a7e8ee3b4d3f2f5c260b6 python3.14-devel-3.14.4-2.el9_8.x86_64.rpm SHA-256: 684594b8da5608ecae0671bcbdf152aeea06625e5d54c413f97f871c7143b8d4 python3.14-libs-3.14.4-2.el9_8.i686.rpm SHA-256: 0648c007d3ed048df2079c2136a1b67137077386d11fe25329d7c5f60793ca5e python3.14-libs-3.14.4-2.el9_8.x86_64.rpm SHA-256: d32507f611080107a512036327b5c789daf622dba14d316b4d918c5905c2b99b python3.14-tkinter-3.14.4-2.el9_8.x86_64.rpm SHA-256: 71f9a4c2f6525c5b76a54f2c1ab9f3ef022190a419ac214a61ad95d2374a0fca Red Hat Enterprise Linux for IBM z Systems 9 SRPM python3.14-3.14.4-2.el9_8.src.rpm SHA-256: 01f5e9663dd00b1804a73d62b39e663149e7e22ffd5f31446f5390133a971af8 s390x python3.14-3.14.4-2.el9_8.s390x.rpm SHA-256: ded3fc4e4bc6b9c195d51af2f572abc3d978c300c1f1842259966639dfdc7c6f python3.14-debuginfo-3.14.4-2.el9_8.s390x.rpm SHA-256: aa8765c099240d511db975838171c7cfdfd5a5a66fe8a51dabc69804124d6597 python3.14-debugsource-3.14.4-2.el9_8.s390x.rpm SHA-256: d73d25d94829eaf8044b36ba770aa99d01c05aa73545b2a49e514c26538b2d43 python3.14-devel-3.14.4-2.el9_8.s390x.rpm SHA-256: 80e7e758380ddd70ff2d31cd92e3de41887713b84157be53a8a994fe1e077e69 python3.14-libs-3.14.4-2.el9_8.s390x.rpm SHA-256: fa0b21d798033dd4a59445fa2add36a1c1880876e088d6217582f739de616b29 python3.14-tkinter-3.14.4-2.el9_8.s390x.rpm SHA-256: b174ca283a8a079eeac3c8ff172d9f22de0825dd3054c571a8eeace990fbe0f8 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 SRPM python3.14-3.14.4-2.el9_8.src.rpm SHA-256: 01f5e9663dd00b1804a73d62b39e663149e7e22ffd5f31446f5390133a971af8 s390x python3.14-3.14.4-2.el9_8.s390x.rpm SHA-256: ded3fc4e4bc6b9c195d51af2f572abc3d978c300c1f1842259966639dfdc7c6f python3.14-debuginfo-3.14.4-2.el9_8.s390x.rpm SHA-256: aa8765c099240d511db975838171c7cfdfd5a5a66fe8a51dabc69804124d6597 python3.14-debugsource-3.14.4-2.el9_8.s390x.rpm SHA-256: d73d25d94829eaf8044b36ba770aa99d01c05aa73545b2a49e514c26538b2d43 python3.14-devel-3.14.4-2.el9_8.s390x.rpm SHA-256: 80e7e758380ddd70ff2d31cd92e3de41887713b84157be53a8a994fe1e077e69 python3.14-libs-3.14.4-2.el9_8.s390x.rpm SHA-256: fa0b21d798033dd4a59445fa2add36a1c1880876e088d6217582f739de616b29 python3.14-tkinter-3.14.4-2.el9_8.s390x.rpm SHA-256: b174ca283a8a079eeac3c8ff172d9f22de0825dd3054c571a8eeace990fbe0f8 Red Hat Enterprise Linux for Power, little endian 9 SRPM python3.14-3.14.4-2.el9_8.src.rpm SHA-256: 01f5e9663dd00b1804a73d62b39e663149e7e22ffd5f31446f5390133a971af8 ppc64le python3.14-3.14.4-2.el9_8.ppc64le.rpm SHA-256: