Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN385 _____________________________________________________________________ DATE : 14/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running CPython, Python install manager. ===================================================================== https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/ https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/ https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/ https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ https://mail.python.org/archives/list/security-announce@python.org/thread/BFWFLBFMVLHH2EGXMAHR7ZT6QZHCAPS2/ https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/ _____________________________________________________________________ [CVE-2026-6100] Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure Seth Larson 13 avril 2026 17:13 There is a CRITICAL severity vulnerability affecting CPython. Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is created for each call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-6100 https://github.com/python/cpython/pull/148396 _____________________________________________________________________ [CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() Seth Larson 13 avril 2026 21:53 There is a HIGH severity vulnerability affecting CPython. Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-4786 https://github.com/python/cpython/pull/148170 _____________________________________________________________________ Title: [CVE-2026-3446] Base64 decoding stops at first padded quad by default Seth Larson 10 avril 2026 18:19 There is a MEDIUM severity vulnerability affecting {project}. When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "strict=True" to enable stricter processing of base64 data. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-3446 https://github.com/python/cpython/pull/145267 _____________________________________________________________________ [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF Seth Larson 10 avril 2026 17:51 There is a MEDIUM severity vulnerability affecting CPython. CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-1502 https://github.com/python/cpython/pull/146212 _____________________________________________________________________ [CVE-2026-5271] Python install manager script aliases search path hijack Steve Dower 1 avril 2026 17:07 There is a MEDIUM severity vulnerability affecting the Python install manager. Script alias entrypoints (e.g. pip.exe) generated by version 26.0 of the Python install manager were very likely to have an empty search path, leading to modules in the current working directory being able to override the intended module and execute code as the user. Version 26.1 is fixed. Versions prior to 26.0 are not impacted. After installing the updated version, run "py install --refresh" to regenerate existing aliases. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-5271 https://github.com/python/pymanager/pull/301 _____________________________________________________________________ [CVE-2026-4519] webbrowser.open() API allows leading dashes Seth Larson 20 mars 2026 15:03 There is a MEDIUM severity vulnerability affecting CPython. The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-4519 https://github.com/python/cpython/pull/143931 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================