Multiple CVEs in Python 3.15 Affect Fedora Users

Multiple CVEs in Python 3.15 Affect Fedora Users

First seen 23 May 2026, 23:33 UTC Linuxsecurity 95% similarity 74.0

Article Content

Browse articles
ThreatCluster

On May 23, 2026, Fedora released security advisories for Python 3.15, addressing multiple vulnerabilities including CVE-2026-1502, CVE-2026-6100, CVE-2026-4786, CVE-2026-5713, and CVE-2026-3219. These vulnerabilities allow for arbitrary code execution, information disclosure, and HTTP header injection, impacting users of Fedora 42 and 43. The most critical issues involve command injection in the webbrowser.open() API and use-after-free vulnerabilities in decompression modules. Users are advised to apply the updates using the 'dnf' package manager. The vulnerabilities were published between April 10 and April 20, 2026, indicating a significant risk for systems running affected versions of Python. Immediate action is recommended to mitigate potential exploitation.

Key Points: • Multiple critical vulnerabilities in Python 3.15 affect Fedora 42 and 43. • Key issues include arbitrary code execution and command injection vulnerabilities. • Users must update their systems using the 'dnf' package manager to mitigate risks.

ThreatCluster AI

Timeline

2026-04-10
CVE-2026-1502 published
Python 3.15 vulnerability allows HTTP header injection via CR/LF in proxy tunnel headers.
Linuxsecurity
2026-04-13
CVE-2026-6100 and CVE-2026-4786 published
CVE-2026-6100 allows arbitrary code execution via use-after-free in decompression modules; CVE-2026-4786 enables command injection in webbrowser.open().
Linuxsecurity
2026-04-14
CVE-2026-5713 published
This vulnerability allows information disclosure and arbitrary code execution via remote debugging with a malicious process.
Linuxsecurity
2026-04-20
CVE-2026-3219 published
CVE-2026-3219 causes incorrect file installation due to improper archive handling in pip.
Linuxsecurity
2026-05-23
Fedora releases security advisories
Fedora advises users to upgrade Python 3.15 to mitigate multiple vulnerabilities affecting versions 42 and 43.
Linuxsecurity

Community

Browse all →