CPython has a DoS vuln

CVE-2025-13836 is a denial‑of‑service flaw in CPython’s http.client that allows a malicious server to send an oversized Content‑Length and force the client to allocate excessive memory, producing OOM conditions. (sentinelone.com) The Python security mailing list and NVD record show CVE‑2025‑13836 was disclosed in December 2025 with follow‑up updates into early 2026. (mail.python.org) CVE‑2025‑12084 is a separate availability bug in xml.dom.minidom where a quadratic‑time algorithm in _clear_id_cache() can be triggered by deeply nested XML, causing slowdowns or denial‑of‑service when building large DOM trees. (github.com) The Bundesamt für Sicherheit in der Informationstechnik published an update on 18 March 2026 that consolidated multiple CPython advisories first reported in January 2026 and listed affected vendors including Amazon Linux 2, Red Hat, Fedora, Ubuntu and SUSE. (news.de) Red Hat issued security updates for python3.11 (RHSA‑2026:1374, issued 2026‑01‑27) and additional advisories covering python3.12/3.11 across RHEL 8 and 9, while vendor pages referenced by the BSI update point to SUSE security update SUSE‑SU‑2026:20710‑1 (18‑Mar‑2026) and other distro patches. (access.redhat.com) Upstream fixes were merged and the public guidance from Python and security vendors recommends applying vendor patches and avoiding unbounded reads (use explicit max read sizes or chunked/streaming reads) when consuming HTTP responses to prevent exploitation. (mail.python.org) Red Hat advisories linked to these updates also catalog additional CPython issues beyond DoS — including header injection and POP3/IMAP command injection identifiers such as CVE‑2026‑1299, CVE‑2025‑15366 and CVE‑2025‑15367 — indicating multiple maintenance priorities for runtime and library updates. (access.redhat.com)