Python 3.14.6 Released: What's in the Changelog
Python 3.14.6 (released June 10, 2026) is a maintenance update with nine security fixes — including patches for CVE-2026-45186 and the completion of CVE-2021-4189 — plus OpenSSL 3.5.7, pip 26.1.2, and numerous crash and free-threading fixes.
Python 3.14.6, the latest stable maintenance release of the 3.14 series, was released on June 10, 2026. It is a substantial bug-fix and security update, headlined by nine security fixes and a broad set of crash and free-threading race-condition fixes across the interpreter and standard library.
Security
- CVE-2026-45186: bundled libexpat updated to 2.8.1 (gh-149698).
- CVE-2021-4189 completed:
ftplib's undocumentedftpcpno longer trusts the IPv4 address returned by the source server forPASVby default (gh-87451). - OpenSSL updated to 3.5.7 across the Windows, macOS, Android, and iOS installers (gh-151159).
- Fixed a possible stack buffer overflow in
bz2when aBZ2Decompressoris reused after a decompression error (gh-150599). shutil.move()now resolves symlinks viaos.path.realpath(), preventing a symlink-based bypass of its containment guard (gh-149835).tarfile.data_filter()hardened against several path-traversal bypasses of thedataextraction filter (gh-149486).- Fixed a potential denial of service in
unicodedata.normalize()caused by quadratic-time canonical ordering (gh-149079). - Improved protection against XML hash-flooding in
xml.parsers.expatandxml.etree.ElementTree(gh-149018). - Fixed an XML injection vulnerability in
xmlrpc.client.dumps()wheremethodnamewas not escaped (gh-148954).
Core and Builtins
- Multiple out-of-memory paths now raise a proper
MemoryErrorinstead of crashing (compiler, tokenizer init,_winapi.CreateProcess()). - Several free-threading data races fixed, including in
gc.set_threshold()scheduling,memoryview, and_PyBytes_FromList. - Fixed the frozen importer accepting module names with embedded null bytes, which bypassed the
sys.modulescache (gh-150633). - Fixed a use-after-free when the
unicodedatamodule was GC'd between\N{...}decode calls (gh-149449).
Library
- Bundled pip updated to 26.1.2 (gh-150685).
- Fixed a use-after-free crash in
jsonwhen an object is modified during serialization (gh-142831). - Fixed a segfault in
picklewhen pickling a dict concurrently mutated in the free-threaded build (gh-146452). - Several free-threading race conditions fixed in
ssl,collections.deque.index(),unittest.mock.ThreadingMock, andio.TextIOWrapperre-initialization. zipfilenow preserves non-UTF-8 legacy-encoded filenames when appending (gh-84353).
Platform notes
- Windows / macOS: bundled OpenSSL updated to 3.5.7; macOS installer also updated to libmpdecimal 4.0.1.
- IDLE: now warns before overwriting a file on save.
Full details are in the official release notes. If you're on 3.14, upgrading is recommended — the security fixes alone make it worthwhile.