Red Hat Product Errata RHSA-2026:20573 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20573 - Security Advisory Overview Updated Packages Synopsis Moderate: python-tornado security update Type/Severity Security Advisory: Moderate Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python-tornado is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958) tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - AUS 9.2 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x Fixes BZ - 2446765 - CVE-2026-31958 tornado-python: Tornado: Denial of Service via large multipart bodies BZ - 2454716 - CVE-2026-35536 tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments CVEs CVE-2026-31958 CVE-2026-35536 References https://access.redhat.com/security/updates/classification/#moderate Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - AUS 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f x86_64 python-tornado-debugsource-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 04c27ea501db62e6a2a8a556cf535b12dd8f791d575d5e8c429134fcddaa0e6c python3-tornado-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: f439886e76d01682959aff05aa7c562555e23fa5f1ca70189b34664016c4f7b4 python3-tornado-debuginfo-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 07d6d0fb5ac57df8bc106b64cb4b1c3cb812ec6d0611149a93ba67e95cc0b698 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f ppc64le python-tornado-debugsource-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: c8d52231bf8f94377cacb25d25e3ccd5ca06e3c06e9246d226df91e994fec63f python3-tornado-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: b06832ca0514f3d7aacb32542042aab987969747ceef9a6acc6e9df58440751a python3-tornado-debuginfo-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: f24fc8ab17cf1362160710a2c23561aeb0b8f7957f0f41e9b10a031f83a022c7 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f x86_64 python-tornado-debugsource-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 04c27ea501db62e6a2a8a556cf535b12dd8f791d575d5e8c429134fcddaa0e6c python3-tornado-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: f439886e76d01682959aff05aa7c562555e23fa5f1ca70189b34664016c4f7b4 python3-tornado-debuginfo-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 07d6d0fb5ac57df8bc106b64cb4b1c3cb812ec6d0611149a93ba67e95cc0b698 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f aarch64 python-tornado-debugsource-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: c15f0768e73e94171f219b77a5601fc889c16e3e0325449ac64c3c412bb3d446 python3-tornado-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: 6b3e01b46b970091c8e2931569c5c3dec5155b6bb154c33c9df2cdea0dcbf4cf python3-tornado-debuginfo-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: 063e475859eb93a7a8f5cbbe94e3bb2f023cc8bf5c4390fa071b2dbb67e47212 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f s390x python-tornado-debugsource-6.4.2-1.el9_2.2.s390x.rpm SHA-256: 74112f69faa354606a385de5217fc93fb1f5988a43dd76dd1e4243c31592503f python3-tornado-6.4.2-1.el9_2.2.s390x.rpm SHA-256: f27b87a8faea6f6414581b8f2e546b0546255a97454e6764c9cb52fa5ffe53fa python3-tornado-debuginfo-6.4.2-1.el9_2.2.s390x.rpm SHA-256: b113e30ead8d2e75ad54a3102e6bb494ed6b43d70faefaf966cf632cf8bbf8cc Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f x86_64 python-tornado-debugsource-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 04c27ea501db62e6a2a8a556cf535b12dd8f791d575d5e8c429134fcddaa0e6c python3-tornado-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: f439886e76d01682959aff05aa7c562555e23fa5f1ca70189b34664016c4f7b4 python3-tornado-debuginfo-6.4.2-1.el9_2.2.x86_64.rpm SHA-256: 07d6d0fb5ac57df8bc106b64cb4b1c3cb812ec6d0611149a93ba67e95cc0b698 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f aarch64 python-tornado-debugsource-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: c15f0768e73e94171f219b77a5601fc889c16e3e0325449ac64c3c412bb3d446 python3-tornado-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: 6b3e01b46b970091c8e2931569c5c3dec5155b6bb154c33c9df2cdea0dcbf4cf python3-tornado-debuginfo-6.4.2-1.el9_2.2.aarch64.rpm SHA-256: 063e475859eb93a7a8f5cbbe94e3bb2f023cc8bf5c4390fa071b2dbb67e47212 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f ppc64le python-tornado-debugsource-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: c8d52231bf8f94377cacb25d25e3ccd5ca06e3c06e9246d226df91e994fec63f python3-tornado-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: b06832ca0514f3d7aacb32542042aab987969747ceef9a6acc6e9df58440751a python3-tornado-debuginfo-6.4.2-1.el9_2.2.ppc64le.rpm SHA-256: f24fc8ab17cf1362160710a2c23561aeb0b8f7957f0f41e9b10a031f83a022c7 Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 SRPM python-tornado-6.4.2-1.el9_2.2.src.rpm SHA-256: 6aba7a3dbf1c7f68785f2edf6f44041fde6fb39edf1fd8ec5ef002af9d1d564f s390x python-tornado-debugsource-6.4.2-1.el9_2.2.s390x.rpm SHA-256: 74112f69faa354606a385de5217fc93fb1f5988a43dd76dd1e4243c31592503f python3-tornado-6.4.2-1.el9_2.2.s390x.rpm SHA-256: f27b87a8faea6f6414581b8f2e546b0546255a97454e6764c9cb52fa5ffe53fa python3-tornado-debuginfo-6.4.2-1.el9_2.2.s390x.rpm SHA-256: b113e30ead8d2e75ad54a3102e6bb494ed6b43d70faefaf966cf632cf8bbf8cc The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .