Critical Python Vulnerabilities Affect Multiple Versions

Severity: High (Score: 74.0)

Sources: Linuxsecurity

Summary

Recent security updates for Python 3.10, 3.12, and 3.15 address critical vulnerabilities impacting various systems. Key vulnerabilities include CVE-2026-1502, which allows HTTP header injection, and CVE-2026-6100, which can lead to arbitrary code execution. These vulnerabilities affect multiple distributions, including Ubuntu 22.04 and Fedora 42 and 43. The vulnerabilities were published between March 4 and April 13, 2026, with patches released shortly after. Systems using these Python versions are at risk if not updated promptly. The updates include fixes for logging bypass and stack overflow issues as well. Security teams are urged to apply the updates to mitigate potential exploitation risks. The situation remains critical as attackers may exploit these vulnerabilities before widespread patch adoption. Key Points: • Multiple Python versions (3.10, 3.12, 3.15) have critical vulnerabilities requiring immediate attention. • CVE-2026-1502 and CVE-2026-6100 are among the most severe vulnerabilities, allowing for significant exploitation. • Patches have been released, but systems remain at risk until updates are applied.

Key Entities

• CVE-2026-1502 (cve)
• CVE-2026-2297 (cve)
• CVE-2026-3479 (cve)
• CVE-2026-3644 (cve)
• CVE-2026-4224 (cve)
• CWE-120 - Classic Buffer Overflow (cwe)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-22 - Path Traversal (cwe)
• Cwe-416 - Use After Free (cwe)
• CWE-78 - OS Command Injection (cwe)
• Fedora (company)
• Ubuntu (company)
• Command-line Option Injection In Webbrowser.open() Via Crafted URLs (vulnerability)
• Logging Bypass In Legacy .pyc File Handling (vulnerability)
• Path Traversal Via Improper Resource Argument Validation (vulnerability)
• Stack Overflow Parsing XML With Deeply Nested DTD Content Models (vulnerability)