Red Hat Product Errata RHSA-2026:20577 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20577 - Security Advisory Overview Updated Packages Synopsis Moderate: python-tornado security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python-tornado is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958) tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2446765 - CVE-2026-31958 tornado-python: Tornado: Denial of Service via large multipart bodies BZ - 2454716 - CVE-2026-35536 tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments CVEs CVE-2026-31958 CVE-2026-35536 References https://access.redhat.com/security/updates/classification/#moderate Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 x86_64 python-tornado-debugsource-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 7be6465eef2e81c2dde72e583076baa170c8a9aa69c90cd8318c44ffad07d9d3 python3-tornado-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 723c796fb549487f70f798af8e84f6324b8b15a440e892631ca778a65ff5628b python3-tornado-debuginfo-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 52e54d3eb4c8e4ff243ae380ad070841dc3a15472a65f8b1058f050b99517f51 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 s390x python-tornado-debugsource-6.4.2-1.el10_0.2.s390x.rpm SHA-256: a311aad3f102a66c8427d0e5c897d27c7140132cb5050b649f01c60f1c5c9632 python3-tornado-6.4.2-1.el10_0.2.s390x.rpm SHA-256: 43200e9fe07667b42ec448d0a3f944be84e97f95adc27ddda7d4fb48a8f1a320 python3-tornado-debuginfo-6.4.2-1.el10_0.2.s390x.rpm SHA-256: 13f37e5b9e7c0281171da5274bda116bf9c305c69ac0965650182d3680c83424 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 ppc64le python-tornado-debugsource-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: 4040d82a68f55177178b3a8dc98a52bec77b4bfba3f937926b00fdb315524a49 python3-tornado-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: c2a7bc90c9eaf6bfa7587a1e713d58d2a2f55bab4031a8b2aa53bc5bd5ba7806 python3-tornado-debuginfo-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: e8da7598cee7b99e6ae3cb7caffa8606174ab2d998e4b982a478891cd63df2f1 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 aarch64 python-tornado-debugsource-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: 6f1ae208e49c1bf5a14b97cc3f2f33a30cb8fab4c6f9ba9cc5198bce2185cb95 python3-tornado-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: a8538ca2073e025630378abeccf6b69270e6ee79777eee85d3896ea89b66c811 python3-tornado-debuginfo-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: 91f6fc03c7be34f514a4f35dd2ac44dff92eadc1a8e19f39d0eb8e6eb0955e5f Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 aarch64 python-tornado-debugsource-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: 6f1ae208e49c1bf5a14b97cc3f2f33a30cb8fab4c6f9ba9cc5198bce2185cb95 python3-tornado-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: a8538ca2073e025630378abeccf6b69270e6ee79777eee85d3896ea89b66c811 python3-tornado-debuginfo-6.4.2-1.el10_0.2.aarch64.rpm SHA-256: 91f6fc03c7be34f514a4f35dd2ac44dff92eadc1a8e19f39d0eb8e6eb0955e5f Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 s390x python-tornado-debugsource-6.4.2-1.el10_0.2.s390x.rpm SHA-256: a311aad3f102a66c8427d0e5c897d27c7140132cb5050b649f01c60f1c5c9632 python3-tornado-6.4.2-1.el10_0.2.s390x.rpm SHA-256: 43200e9fe07667b42ec448d0a3f944be84e97f95adc27ddda7d4fb48a8f1a320 python3-tornado-debuginfo-6.4.2-1.el10_0.2.s390x.rpm SHA-256: 13f37e5b9e7c0281171da5274bda116bf9c305c69ac0965650182d3680c83424 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 ppc64le python-tornado-debugsource-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: 4040d82a68f55177178b3a8dc98a52bec77b4bfba3f937926b00fdb315524a49 python3-tornado-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: c2a7bc90c9eaf6bfa7587a1e713d58d2a2f55bab4031a8b2aa53bc5bd5ba7806 python3-tornado-debuginfo-6.4.2-1.el10_0.2.ppc64le.rpm SHA-256: e8da7598cee7b99e6ae3cb7caffa8606174ab2d998e4b982a478891cd63df2f1 Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM python-tornado-6.4.2-1.el10_0.2.src.rpm SHA-256: de133a8c3572bf205139f55b43e9a2d14df4829bc338d1b0ebb57000466f8d38 x86_64 python-tornado-debugsource-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 7be6465eef2e81c2dde72e583076baa170c8a9aa69c90cd8318c44ffad07d9d3 python3-tornado-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 723c796fb549487f70f798af8e84f6324b8b15a440e892631ca778a65ff5628b python3-tornado-debuginfo-6.4.2-1.el10_0.2.x86_64.rpm SHA-256: 52e54d3eb4c8e4ff243ae380ad070841dc3a15472a65f8b1058f050b99517f51 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .