python3-3.14.4

[Bruce Dubbs]

New point version.

[Xi Ruoyao]

It contains fixes for CVE-2026-4224, CVE-2026-3644, and CVE-2026-2297.

[Douglas R. Reno]

We've got the fixes for CVE-2026-4224 and CVE-2026-3644 already, but not 2297

[Bruce Dubbs]

What's New in Python 3.14.4 final?

Security

• gh-145986: :mod:xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with :meth:~xml.parsers.expat.xmlparser.ElementDeclHandler. This addresses :cve:2026-4224.

• gh-145599: Reject control characters in :class:http.cookies.Morsel :meth:~http.cookies.Morsel.update and :meth:~http.cookies.BaseCookie.js_output. This addresses :cve:2026-3644.

• gh-145506: Fixes :cve:2026-2297 by ensuring that SourcelessFileLoader uses :func:io.open_code when opening .pyc files.

• gh-144370: Disallow usage of control characters in status in :mod:wsgiref.handlers to prevent HTTP header injections. Patch by Benedikt Johannes.

• gh-143930: Reject leading dashes in URLs passed to :func:webbrowser.open.

Core and Builtins

• gh-148157: Fix an unlikely crash when parsing an invalid type comments for function parameters. Found by OSS Fuzz in :oss-fuzz:492782951.

• gh-148144: Initialize _PyInterpreterFrame.visited when copying interpreter frames so incremental GC does not read an uninitialized byte from generator and frame-object copies.

• gh-146615: Fix a crash in :meth:~object.__get__ for :c:expr:`METH_METHOD` descriptors when an invalid (non-type) object is passed as the second argument. Patch by Steven Sun.

• gh-146308: Fixed several error handling issues in the :mod:!_remote_debugging module, including safer validation of remote int objects, clearer asyncio task chain failures, and cache cleanup fixes that avoid leaking or double-freeing metadata on allocation failure. Patch by Pablo Galindo.

• gh-146128: Fix a bug which could cause constant values to be partially corrupted in AArch64 JIT code. This issue is theoretical, and hasn't actually been observed in unmodified Python interpreters.

• gh-146250: Fixed a memory leak in :exc:SyntaxError when re-initializing it.

• gh-146245: Fixed reference leaks in :mod:socket when audit hooks raise exceptions in :func:socket.getaddrinfo and :meth:!socket.sendto.

• gh-146196: Fix potential Undefined Behavior in :c:func:`PyUnicodeWriter_WriteASCII` by adding a zero-length check. Patch by Shamil Abdulaev.

• gh-146227: Fix wrong type in _Py_atomic_load_uint16 in the C11 atomics backend (pyatomic_std.h), which used a 32-bit atomic load instead of 16-bit. Found by Mohammed Zuhaib.

• gh-146056: Fix :func:repr for lists and tuples containing NULL\ s.

• gh-146092: Handle properly memory allocation failures on str and float opcodes. Patch by Victor Stinner.

• gh-146041: Fix free-threading scaling bottleneck in :func:sys.intern and :c:func:`PyObject_SetAttr` by avoiding the interpreter-wide lock when the string is already interned and immortalized.

• gh-145990: python --help-env sections are now sorted by environment variable name.

• gh-145990: python --help-xoptions is now sorted by -X option name.

• gh-145376: Fix GC tracking in structseq.replace().

• gh-145792: Fix out-of-bounds access when invoking faulthandler on a CPython build compiled without support for VLAs.

• gh-142183: Avoid a pathological case where repeated calls at a specific stack depth could be significantly slower.

• gh-145779: Improve scaling of :func:classmethod and :func:staticmethod calls in the free-threaded build by avoiding the descriptor get call.

• gh-145783: Fix an unlikely crash in the parser when certain errors were erroneously not propagated. Found by OSS Fuzz in :oss-fuzz:491369109.

• gh-145685: Improve scaling of type attribute lookups in the :term:free-threaded build by avoiding contention on the internal type lock.

• gh-145701: Fix :exc:SystemError when classdict or conditional_annotations is in a class-scope inlined comprehension. Found by OSS Fuzz in :oss-fuzz:491105000.

• gh-145713: Make :meth:bytearray.resize thread-safe in the free-threaded build by using a critical section and calling the lock-held variant of the resize function.

• gh-145615: Fixed a memory leak in the :term:free-threaded build where mimalloc pages could become permanently unreclaimable until the owning thread exited.

• gh-145566: In the free threading build, skip the stop-the-world pause when reassigning class on a newly created object.

• gh-145335: Fix a crash in :func:os.pathconf when called with -1 as the path argument.

• gh-145036: In free-threaded build, fix race condition when calling :meth:!__sizeof__ on a :class:list

• gh-145376: Fix reference leaks in various unusual error scenarios.

• gh-145234: Fixed a SystemError in the parser when an encoding cookie (for example, UTF-7) decodes to carriage returns (\r). Newlines are now normalized after decoding in the string tokenizer.

• gh-130555: Fix use-after-free in :meth:dict.clear when the dictionary values are embedded in an object and a destructor causes re-entrant mutation of the dictionary.

• gh-145187: Fix compiler assertion fail when a type parameter bound contains an invalid expression in a conditional block.

• gh-145142: Fix a crash in the free-threaded build when the dictionary argument to :meth:str.maketrans is concurrently modified.

• gh-144872: Fix heap buffer overflow in the parser found by OSS-Fuzz.

• gh-144766: Fix a crash in fork child process when perf support is enabled.

• gh-144759: Fix undefined behavior in the lexer when start and multi_line_start pointers are NULL in _PyLexer_remember_fstring_buffers() and _PyLexer_restore_fstring_buffers(). The NULL pointer arithmetic (NULL - valid_pointer) is now guarded with explicit NULL checks.

• gh-144563: Fix interaction of the Tachyon profiler and :mod:ctypes and other modules that load the Python shared library (if present) in an independent map as this was causing the mechanism that loads the binary information to be confused.

• gh-144601: Fix crash when importing a module whose PyInit function raises an exception from a subinterpreter.

• gh-144438: Align the QSBR thread state array to a 64-byte cache line boundary to avoid false sharing in the :term:free-threaded build.

• gh-144513: Fix potential deadlock when using critical sections during stop-the-world pauses in the free-threaded build.

• gh-144446: Fix data races in the free-threaded build when reading frame object attributes while another thread is executing the frame.

• gh-143636: Fix a crash when calling :class:`SimpleNamespace.replace() <types.SimpleNamespace>` on non-namespace instances. Patch by Bénédikt Tran.

• gh-143650: Fix race condition in :mod:importlib where a thread could receive a stale module reference when another thread's import fails.

• gh-141732: Ensure the :meth:~object.__repr__ for :exc:ExceptionGroup and :exc:BaseExceptionGroup does not change when the exception sequence that was original passed in to its constructor is subsequently mutated.

• gh-140594: Fix an out of bounds read when a single NUL character is read from the standard input. Patch by Shamil Abdulaev.

• gh-91636: While performing garbage collection, clear weakrefs to unreachable objects that are created during running of finalizers. If those weakrefs were are not cleared, they could reveal unreachable objects.

• gh-130327: Fix erroneous clearing of an object's :attr:~object.__dict__ if overwritten at runtime.

• gh-80667: Literals using the \N{name} escape syntax can now construct CJK ideographs and Hangul syllables using case-insensitive names.

Library

• gh-144503: Fix a regression introduced in 3.14.3 and 3.13.12 where the :mod:multiprocessing forkserver start method would fail with :exc:BrokenPipeError when the parent process had a very large :data:sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system's per-argument length limit.

• gh-146613: :mod:itertools: Fix a crash in :func:itertools.groupby when the grouper iterator is concurrently mutated.

• gh-146080: :mod:ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected. Patch by Bénédikt Tran.

• gh-146556: Fix :func:annotationlib.get_annotations hanging indefinitely when called with eval_str=True on a callable that has a circular wrapped chain (e.g. f.wrapped = f). Cycle detection using an id-based visited set now stops the traversal and falls back to the globals found so far, mirroring the approach of :func:inspect.unwrap.

• gh-146090: :mod:sqlite3: fix a crash when :meth:sqlite3.Connection.create_collation fails with `SQLITE_BUSY <​https://sqlite.org/rescode.html#busy>`. Patch by Bénédikt Tran.

• gh-146090: :mod:sqlite3: properly raise :exc:MemoryError instead of :exc:SystemError when a context callback fails to be allocated. Patch by Bénédikt Tran.

• gh-145633: Fix struct.pack('f', float): use :c:func:`PyFloat_Pack4` to raise :exc:OverflowError. Patch by Sergey B Kirpichev and Victor Stinner.

• gh-146310: The :mod:ensurepip module no longer looks for pip-*.whl wheel packages in the current directory.

• gh-146083: Update bundled libexpat <https://libexpat.github.io/>_ to version 2.7.5.

• gh-146076: :mod:zoneinfo: fix crashes when deleting _weak_cache from a :class:zoneinfo.ZoneInfo subclass.

• gh-146054: Limit the size of :func:encodings.search_function cache. Found by OSS Fuzz in :oss-fuzz:493449985.

• gh-146004: All :option:-X options from the Python command line are now propagated to child processes spawned by :mod:multiprocessing, not just a hard-coded subset. This makes the behavior consistent between default "spawn" and "forkserver" start methods and the old "fork" start method. The options that were previously not propagated are: context_aware_warnings, cpu_count, disable-remote-debug, int_max_str_digits, lazy_imports, no_debug_ranges, pathconfig_warnings, perf, perf_jit, presite, pycache_prefix, thread_inherit_context, and warn_default_encoding.

• gh-145883: :mod:zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues :oss-fuzz:492245058 and :oss-fuzz:492230068.

• gh-145754: Request signature during mock autospec with FORWARDREF annotation format. This prevents runtime errors when an annotation uses a name that is not defined at runtime.

• gh-145750: Avoid undefined behaviour from signed integer overflow when parsing format strings in the :mod:struct module. Found by OSS Fuzz in :oss-fuzz:488466741.

• gh-145492: Fix infinite recursion in :class:collections.defaultdict repr when a defaultdict contains itself. Based on analysis by KowalskiThomas in :gh:145492.

• gh-145623: Fix crash in :mod:struct when calling :func:repr or sizeof() on an uninitialized :class:struct.Struct object created via Struct.new() without calling init().

• gh-145616: Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kernel

• gh-145551: Fix InvalidStateError when cancelling process created by :func:asyncio.create_subprocess_exec or :func:asyncio.create_subprocess_shell.

• gh-145446: Now :mod:functools is safer in free-threaded build when using keywords in :func:functools.partial

• gh-145417: :mod:venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory.

• gh-145376: Fix double free and null pointer dereference in unusual error scenarios in :mod:hashlib and :mod:hmac modules.

• gh-145301: :mod:hmac: fix a crash when the initialization of the underlying C extension module fails.

• gh-145301: :mod:hashlib: fix a crash when the initialization of the underlying C extension module fails.

• gh-145264: Base64 decoder (see :func:binascii.a2b_base64, :func:base64.b64decode, etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with :rfc:4648, section 3.3, it now ignores the pad character, "=", if it is present before the end of the encoded data.

• gh-145158: Avoid undefined behaviour from signed integer overflow when parsing format strings in the :mod:struct module.

• gh-144984: Fix crash in :meth:xml.parsers.expat.xmlparser.ExternalEntityParserCreate when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser's reference count.

• gh-88091: Fix :func:unicodedata.decomposition for Hangul characters.

• gh-144986: Fix a memory leak in :func:atexit.register. Patch by Shamil Abdulaev.

• gh-144777: Fix data races in :class:io.IncrementalNewlineDecoder in the :term:free-threaded build.

• gh-144809: Make :class:collections.deque copy atomic in the :term:free-threaded build.

• gh-144835: Added missing explanations for some parameters in :func:glob.glob and :func:glob.iglob.

• gh-144833: Fixed a use-after-free in :mod:ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed.

• gh-144782: Fix :class:argparse.ArgumentParser to be :mod:`pickleable <pickle>`.

• gh-144259: Fix inconsistent display of long multiline pasted content in the REPL.

• gh-144156: Fix the folding of headers by the :mod:email library when :rfc:2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between adjacent encoded words. The latter property was broken by the fix for gh-92081, which mostly fixed previous failures to preserve whitespace.

• gh-66305: Fixed a hang on Windows in the :mod:tempfile module when trying to create a temporary file or subdirectory in a non-writable directory.

• gh-140814: :func:multiprocessing.freeze_support no longer sets the default start method as a side effect, which previously caused a subsequent :func:multiprocessing.set_start_method call to raise :exc:RuntimeError.

• gh-144475: Calling :func:repr on :func:functools.partial is now safer when the partial object's internal attributes are replaced while the string representation is being generated.

• gh-144538: Bump the version of pip bundled in ensurepip to version 26.0.1

• gh-144494: Fix performance regression in :func:asyncio.all_tasks on :term:free-threaded builds <free-threaded build>. Patch by Kumar Aditya.

• gh-144316: Fix crash in _remote_debugging that caused test_external_inspection to intermittently fail. Patch by Taegyun Kim.

• gh-144363: Update bundled libexpat <https://libexpat.github.io/>_ to 2.7.4

• gh-143637: Fixed a crash in socket.sendmsg() that could occur if ancillary data is mutated re-entrantly during argument parsing.

• gh-143543: Fix a crash in itertools.groupby that could occur when a user-defined :meth:~object.__eq__ method re-enters the iterator during key comparison.

• gh-140652: Fix a crash in :func:!_interpchannels.list_all after closing a channel.

• gh-143698: Allow *scheduler* and *setpgroup* arguments to be explicitly :const:None when calling :func:os.posix_spawn or :func:os.posix_spawnp.

• gh-143698: Raise :exc:TypeError instead of :exc:SystemError when the *scheduler* in :func:os.posix_spawn or :func:os.posix_spawnp is not a tuple. Patch by Bénédikt Tran.

• gh-142516: :mod:ssl: fix reference leaks in :class:ssl.SSLContext objects. Patch by Bénédikt Tran.

• gh-143304: Fix :class:ctypes.CDLL to honor the handle parameter on POSIX systems.

• gh-142781: :mod:zoneinfo: fix a crash when instantiating :class:~zoneinfo.ZoneInfo objects for which the internal class-level cache is inconsistent.

• gh-142763: Fix a race condition between :class:zoneinfo.ZoneInfo creation and :func:zoneinfo.ZoneInfo.clear_cache that could raise :exc:KeyError.

• gh-142787: Fix assertion failure in :mod:sqlite3 blob subscript when slicing with indices that result in an empty slice.

• gh-142352: Fix :meth:asyncio.StreamWriter.start_tls to transfer buffered data from :class:~asyncio.StreamReader to the SSL layer, preventing data loss when upgrading a connection to TLS mid-stream (e.g., when implementing PROXY protocol support).

• gh-141707: Don't change :class:tarfile.TarInfo type from AREGTYPE to DIRTYPE when parsing GNU long name or link headers.

• gh-139933: Improve :exc:AttributeError suggestions for classes with a custom :meth:~object.__dir__ method returning a list of unsortable values. Patch by Bénédikt Tran.

• gh-137335: Get rid of any possibility of a name conflict for named pipes in :mod:multiprocessing and :mod:asyncio on Windows, no matter how small.

• gh-80667: Support lookup for Tangut Ideographs in :mod:unicodedata.

• bpo-40243: Fix :meth:!unicodedata.ucd_3_2_0.numeric for non-decimal values.

Documentation

• gh-126676: Expand :mod:argparse documentation for type=bool with a demonstration of the surprising behavior and pointers to common alternatives.

• gh-145649: Fix text wrapping and formatting of -X option descriptions in the :manpage:python(1) man page by using proper roff markup.

• gh-145450: Document missing public :class:wave.Wave_write getter methods.

• gh-136246: A new "Improve this page" link is available in the left-hand sidebar of the docs, offering links to create GitHub issues, discussion forum posts, or pull requests.

Tests

• gh-144418: The Android testbed's emulator RAM has been increased from 2 GB to 4 GB.

• gh-146202: Fix a race condition in regrtest: make sure that the temporary directory is created in the worker process. Previously, temp_cwd() could fail on Windows if the "build" directory was not created.

• gh-144739: When Python was compiled with system expat older then 2.7.2 but tests run with newer expat, still skip :class:!test.test_pyexpat.MemoryProtectionTest.

Build

• gh-146541: The Android testbed can now be built for 32-bit ARM and x86 targets.

• gh-146498: The iOS XCframework build script now ensures libpython isn't included in installed app content, and is more robust in identifying standard library binary content that requires processing.

• gh-146450: The Android build script was modified to improve parity with other platform build scripts.

• gh-146446: The clean target for the Apple/iOS XCframework build script is now more selective when targeting a single architecture.

• gh-145801: When Python build is optimized with GCC using PGO, use -fprofile-update=atomic option to use atomic operations when updating profile information. This option reduces the risk of gcov Data Files (.gcda) corruption which can cause random GCC crashes.

C API

• gh-146056: :c:func:`PyUnicodeWriter_WriteRepr now supports NULL` argument.

• gh-145010: Use GCC dialect alternatives for inline assembly in object.h so that the Python headers compile correctly with -masm=intel.

• gh-144981: Made :c:func:`PyUnstable_Code_SetExtra`, :c:func:`PyUnstable_Code_GetExtra`, and :c:func:`PyUnstable_Eval_RequestCodeExtraIndex` thread-safe on the :term:free threaded <free threading> build.

[Bruce Dubbs]

Fixed at commit b4defc453e. Leaving open for security advisories.

[Douglas R. Reno]

An additional CVE was fixed in this release - CVE-2026-3446. That follows ​https://github.com/python/cpython/pull/145267, the advisory from upstream is:

When calling base64.b64decode() or related functions the decoding process would stop 
after encountering the first padded quad regardless of whether there was more 
information to be processed. This can lead to data being accepted which may be processed 
differently by other implementations. Use "strict=True" to enable stricter processing of 
base64 data.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-3446
* https://github.com/python/cpython/pull/145267

This one was rated as Medium

[Douglas R. Reno]

SA-13.0-038 filed. Thank you for your constant work on keeping up with the Python stuff Joe, I really appreciate it!