Ubuntu published security notice USN-8509-1 on July 6, 2026, patching 16 Python vulnerabilities across Python 3.10, 3.12, and 3.14 on Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The Python vulnerabilities 2026 batch covers a wide range of issues – from use-after-free flaws enabling code execution, to header injection, path traversal bypass, and auditing evasion.
Affected Ubuntu Releases
| Ubuntu Release | Python Version | Fixed Package Version |
|---|---|---|
| 26.04 LTS (Resolute Raccoon) | python3.14 | 3.14.4-1ubuntu0.1 |
| 24.04 LTS (Noble Numbat) | python3.12 | 3.12.3-1ubuntu0.15 |
| 22.04 LTS (Jammy Jellyfish) | python3.10 | 3.10.12-1~22.04.16 |
A Complete Python Vulnerabilities List (USN-8509-1)
Not all CVEs affect every release. The table below shows which Ubuntu versions are affected by each issue:
| CVE | Component | Impact | Affected Releases |
|---|---|---|---|
| CVE-2025-13462 | tarfile | Path restriction bypass | 22.04, 24.04 |
| CVE-2025-69534 | HTMLParser | DoS via malformed HTML | 22.04, 24.04 |
| CVE-2026-1299 | email module | Arbitrary email header injection | 22.04, 24.04 |
| CVE-2026-1502 | http.client | Arbitrary HTTP header injection via CONNECT tunnel | All releases |
| CVE-2026-2297 | importlib | Audit bypass via legacy .pyc loading | 22.04, 24.04 |
| CVE-2026-3276 | unicodedata.normalize() | DoS via excessive resource consumption | All releases |
| CVE-2026-3644 | http.cookies | Arbitrary content injection via control characters | 22.04, 24.04 |
| CVE-2026-4224 | pyexpat / Expat XML | DoS via unbounded recursion | 22.04, 24.04 |
| CVE-2026-4519 | webbrowser | Arbitrary command execution via leading dashes in URLs | 22.04, 24.04 |
| CVE-2026-4786 | webbrowser.open() | Arbitrary command execution via malicious handlers | All releases |
| CVE-2026-5713 | Remote debug module | DoS or arbitrary code execution via invalid offset tables | 26.04 only |
| CVE-2026-6019 | http.cookies (js_output) | Arbitrary JavaScript injection | All releases |
| CVE-2026-6100 | lzma, bz2, gzip decompressors | DoS or arbitrary code execution via use-after-free | All releases |
| CVE-2026-7774 | tarfile (data filter) | Path restriction bypass via link target validation | 24.04, 26.04 |
| CVE-2026-8328 | ftplib | Server-side request forgery (incomplete fix for CVE-2021-4189) | All releases |
| CVE-2026-9669 | bz2 (BZ2Decompressor) | DoS or arbitrary code execution via use-after-free after error | All releases |
Most Severe Python Vulnerabilities in This Batch
Several CVEs in this notice stand out for their potential impact:
CVE-2026-6100 – Use-after-free in lzma, bz2, and gzip decompressors (All releases)
Python's lzma, bz2, and gzip decompressor objects had a use-after-free vulnerability. An attacker could exploit this to crash Python or execute arbitrary code. This affects all three Ubuntu releases and is one of the two most critical python vulnerabilities in this batch.
CVE-2026-9669 – BZ2Decompressor reuse after error (All releases)
Python's bz2 module allowed a BZ2Decompressor object to be reused after a decompression error, leading to use-after-free. Like CVE-2026-6100, this can result in crashes or arbitrary code execution across all affected releases.
CVE-2026-4786 – webbrowser.open() command execution (All releases)
Python incorrectly handled webbrowser.open() handlers in a way that could allow an attacker to execute arbitrary commands. This affects all three releases.
CVE-2026-4519 – webbrowser leading dash URL command execution (22.04, 24.04)
Python's webbrowser module accepted URLs with leading dashes, which could be interpreted as command-line options. An attacker could use this to execute arbitrary commands. Affects Ubuntu 22.04 and 24.04 only.
CVE-2026-5713 – Remote debug module code execution (26.04 only)
Python's remote debugging module did not properly validate offset tables when loading debug information. This could allow an attacker to crash Python or execute arbitrary code. This issue is specific to Ubuntu 26.04 LTS running Python 3.14.
Is Python 3.10 Vulnerable?
Yes. Python 3.10 on Ubuntu 22.04 LTS is affected by 12 of the 16 CVEs in this notice. The four CVEs that do not affect Ubuntu 22.04 are CVE-2026-5713 (26.04 only) and CVE-2026-7774 (24.04 and 26.04 only), plus two others scoped to specific releases. The fixed version for Python 3.10 on Ubuntu 22.04 is 3.10.12-1~22.04.16, available via standard system update.
How to Check Your Python Version
python3 --version
To check the installed package version:
apt-cache policy python3.10 # Ubuntu 22.04
apt-cache policy python3.12 # Ubuntu 24.04
apt-cache policy python3.14 # Ubuntu 26.04
How to Fix
A standard system update applies all patches across all three releases:
sudo apt update && sudo apt upgrade
No reboot is required.