Python 3.14.6 Released: What's in the Changelog

Python 3.14.6 (released June 10, 2026) is a maintenance update with nine security fixes — including patches for CVE-2026-45186 and the completion of CVE-2021-4189 — plus OpenSSL 3.5.7, pip 26.1.2, and numerous crash and free-threading fixes.

Python 3.14.6 Released: What's in the Changelog

Python 3.14.6, the latest stable maintenance release of the 3.14 series, was released on June 10, 2026. It is a substantial bug-fix and security update, headlined by nine security fixes and a broad set of crash and free-threading race-condition fixes across the interpreter and standard library.

Security

  • CVE-2026-45186: bundled libexpat updated to 2.8.1 (gh-149698).
  • CVE-2021-4189 completed: ftplib's undocumented ftpcp no longer trusts the IPv4 address returned by the source server for PASV by default (gh-87451).
  • OpenSSL updated to 3.5.7 across the Windows, macOS, Android, and iOS installers (gh-151159).
  • Fixed a possible stack buffer overflow in bz2 when a BZ2Decompressor is reused after a decompression error (gh-150599).
  • shutil.move() now resolves symlinks via os.path.realpath(), preventing a symlink-based bypass of its containment guard (gh-149835).
  • tarfile.data_filter() hardened against several path-traversal bypasses of the data extraction filter (gh-149486).
  • Fixed a potential denial of service in unicodedata.normalize() caused by quadratic-time canonical ordering (gh-149079).
  • Improved protection against XML hash-flooding in xml.parsers.expat and xml.etree.ElementTree (gh-149018).
  • Fixed an XML injection vulnerability in xmlrpc.client.dumps() where methodname was not escaped (gh-148954).

Core and Builtins

  • Multiple out-of-memory paths now raise a proper MemoryError instead of crashing (compiler, tokenizer init, _winapi.CreateProcess()).
  • Several free-threading data races fixed, including in gc.set_threshold() scheduling, memoryview, and _PyBytes_FromList.
  • Fixed the frozen importer accepting module names with embedded null bytes, which bypassed the sys.modules cache (gh-150633).
  • Fixed a use-after-free when the unicodedata module was GC'd between \N{...} decode calls (gh-149449).

Library

  • Bundled pip updated to 26.1.2 (gh-150685).
  • Fixed a use-after-free crash in json when an object is modified during serialization (gh-142831).
  • Fixed a segfault in pickle when pickling a dict concurrently mutated in the free-threaded build (gh-146452).
  • Several free-threading race conditions fixed in ssl, collections.deque.index(), unittest.mock.ThreadingMock, and io.TextIOWrapper re-initialization.
  • zipfile now preserves non-UTF-8 legacy-encoded filenames when appending (gh-84353).

Platform notes

  • Windows / macOS: bundled OpenSSL updated to 3.5.7; macOS installer also updated to libmpdecimal 4.0.1.
  • IDLE: now warns before overwriting a file on save.

Full details are in the official release notes. If you're on 3.14, upgrading is recommended — the security fixes alone make it worthwhile.