[3.6] Security fixes for CVE-2026-6100 and CVE-2026-4786 by stratakis · Pull Request #145 · fedora-python/cpython

stratakis · 2026-04-17T03:35:08Z

No description provided.

Fix webbrowser `%action` substitution bypass of dash-prefix check Backported from Python 3.10

Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor Backported from Python 3.10

hroncok · 2026-04-21T16:41:24Z

For CVE-2026-6100, is there no change required for Modules/zlibmodule.c ?

stratakis · 2026-04-22T03:13:04Z

For CVE-2026-6100, is there no change required for Modules/zlibmodule.c ?

Nope, the vulnerable class in zlibmodule was introduced with Python 3.12, hence why also the 3.9, 3.10, 3.11 backports also don't have a fix there.

StanFromIreland added 2 commits April 17, 2026 05:28

00480: CVE-2026-4786

96f1cb3

Fix webbrowser `%action` substitution bypass of dash-prefix check Backported from Python 3.10

00482: CVE-2026-6100

4aa3813

Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor Backported from Python 3.10

hroncok approved these changes Apr 22, 2026

View reviewed changes

stratakis merged commit 4aa3813 into fedora-python:fedora-3.6 Apr 23, 2026

stratakis deleted the 3.6-cves-for-ever branch April 23, 2026 01:12

Provide feedback