CVE-2025-8194 CVE-2025-8291 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837
Multiple security fixes in cPython 3.9.
CVE-2022-37454
The Keccak XKCP SHA-3 implementation had an integer overflow
and a buffer overflow in the sponge function interface. This
allowed attackers to execute arbitrary code or eliminate expected
cryptographic properties.
CVE-2025-4516
An issue in bytes.decode("unicode_escape", error="ignore|replace")
could result in a crash.
CVE-2025-6069
The html.parser.HTMLParser class had worse-case quadratic complexity
when processing certain crafted malformed inputs potentially leading
to amplified denial-of-service.
CVE-2025-6075
If the value passed to os.path.expandvars() is user-controlled
a performance degradation was possible when expanding environment
variables.
CVE-2025-8194
The tar implementation would process tar archives with negative
offsets without error, resulting in an infinite loop and deadlock
during the parsing of maliciously crafted tar archives.
CVE-2025-8291
The 'zipfile' module would not check the validity of the ZIP64 End
of Central Directory (EOCD) Locator record offset value would not be
used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record
would be assumed to be the previous record in the ZIP archive. This
could be abused to create ZIP archives that are handled differently
by the 'zipfile' module compared to other ZIP implementations.
CVE-2025-12084
When building nested elements using xml.dom.minidom methods such
as appendChild() that have a dependency on _clear_id_cache() the
algorithm was quadratic. Availability could be impacted when building
excessively nested documents.
CVE-2025-13836
When reading an HTTP response from a server, if no read amount was
specified, the default behavior was to use Content-Length. This
allowed a malicious server to cause...
3.9.2-1+deb11u4