Ubuntu Fixes 16 Recent Python Vulnerabilities (USN-8509-1)

Python

Python

Track EOL dates for all Python versions.

View all versions →
Key Takeaways
  • Ubuntu patched 16 Python vulnerabilities on July 6, 2026 under USN-8509-1
  • Affects Python 3.10 (Ubuntu 22.04), Python 3.12 (Ubuntu 24.04), and Python 3.14 (Ubuntu 26.04)
  • Most severe issues include RCE via use-after-free in decompressors (CVE-2026-6100, CVE-2026-9669) and command execution via webbrowser module (CVE-2026-4786, CVE-2026-4519)

Ubuntu published security notice USN-8509-1 on July 6, 2026, patching 16 Python vulnerabilities across Python 3.10, 3.12, and 3.14 on Ubuntu 22.04 LTS, 24.04 LTS, and 26.04 LTS. The Python vulnerabilities 2026 batch covers a wide range of issues – from use-after-free flaws enabling code execution, to header injection, path traversal bypass, and auditing evasion.

Affected Ubuntu Releases

Ubuntu Release Python Version Fixed Package Version
26.04 LTS (Resolute Raccoon) python3.14 3.14.4-1ubuntu0.1
24.04 LTS (Noble Numbat) python3.12 3.12.3-1ubuntu0.15
22.04 LTS (Jammy Jellyfish) python3.10 3.10.12-1~22.04.16

A Complete Python Vulnerabilities List (USN-8509-1)

Not all CVEs affect every release. The table below shows which Ubuntu versions are affected by each issue:

CVE Component Impact Affected Releases
CVE-2025-13462 tarfile Path restriction bypass 22.04, 24.04
CVE-2025-69534 HTMLParser DoS via malformed HTML 22.04, 24.04
CVE-2026-1299 email module Arbitrary email header injection 22.04, 24.04
CVE-2026-1502 http.client Arbitrary HTTP header injection via CONNECT tunnel All releases
CVE-2026-2297 importlib Audit bypass via legacy .pyc loading 22.04, 24.04
CVE-2026-3276 unicodedata.normalize() DoS via excessive resource consumption All releases
CVE-2026-3644 http.cookies Arbitrary content injection via control characters 22.04, 24.04
CVE-2026-4224 pyexpat / Expat XML DoS via unbounded recursion 22.04, 24.04
CVE-2026-4519 webbrowser Arbitrary command execution via leading dashes in URLs 22.04, 24.04
CVE-2026-4786 webbrowser.open() Arbitrary command execution via malicious handlers All releases
CVE-2026-5713 Remote debug module DoS or arbitrary code execution via invalid offset tables 26.04 only
CVE-2026-6019 http.cookies (js_output) Arbitrary JavaScript injection All releases
CVE-2026-6100 lzma, bz2, gzip decompressors DoS or arbitrary code execution via use-after-free All releases
CVE-2026-7774 tarfile (data filter) Path restriction bypass via link target validation 24.04, 26.04
CVE-2026-8328 ftplib Server-side request forgery (incomplete fix for CVE-2021-4189) All releases
CVE-2026-9669 bz2 (BZ2Decompressor) DoS or arbitrary code execution via use-after-free after error All releases

Most Severe Python Vulnerabilities in This Batch

Several CVEs in this notice stand out for their potential impact:

CVE-2026-6100 – Use-after-free in lzma, bz2, and gzip decompressors (All releases)
Python's lzma, bz2, and gzip decompressor objects had a use-after-free vulnerability. An attacker could exploit this to crash Python or execute arbitrary code. This affects all three Ubuntu releases and is one of the two most critical python vulnerabilities in this batch.

CVE-2026-9669 – BZ2Decompressor reuse after error (All releases)
Python's bz2 module allowed a BZ2Decompressor object to be reused after a decompression error, leading to use-after-free. Like CVE-2026-6100, this can result in crashes or arbitrary code execution across all affected releases.

CVE-2026-4786 – webbrowser.open() command execution (All releases)
Python incorrectly handled webbrowser.open() handlers in a way that could allow an attacker to execute arbitrary commands. This affects all three releases.

CVE-2026-4519 – webbrowser leading dash URL command execution (22.04, 24.04)
Python's webbrowser module accepted URLs with leading dashes, which could be interpreted as command-line options. An attacker could use this to execute arbitrary commands. Affects Ubuntu 22.04 and 24.04 only.

CVE-2026-5713 – Remote debug module code execution (26.04 only)
Python's remote debugging module did not properly validate offset tables when loading debug information. This could allow an attacker to crash Python or execute arbitrary code. This issue is specific to Ubuntu 26.04 LTS running Python 3.14.

Is Python 3.10 Vulnerable?

Yes. Python 3.10 on Ubuntu 22.04 LTS is affected by 12 of the 16 CVEs in this notice. The four CVEs that do not affect Ubuntu 22.04 are CVE-2026-5713 (26.04 only) and CVE-2026-7774 (24.04 and 26.04 only), plus two others scoped to specific releases. The fixed version for Python 3.10 on Ubuntu 22.04 is 3.10.12-1~22.04.16, available via standard system update.

How to Check Your Python Version

python3 --version

To check the installed package version:

apt-cache policy python3.10   # Ubuntu 22.04
apt-cache policy python3.12   # Ubuntu 24.04
apt-cache policy python3.14   # Ubuntu 26.04

How to Fix

A standard system update applies all patches across all three releases:

sudo apt update && sudo apt upgrade

No reboot is required.

References

Tagged: Security Notices cve python python3 security ubuntu vulnerabilities