CVE-2025-15366
Publication date 20 January 2026
Last updated 16 March 2026
Ubuntu priority
Description
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python2.7 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored patch breaks RFC conformance | |
| 20.04 LTS focal | Ignored patch breaks RFC conformance | |
| 18.04 LTS bionic | Ignored patch breaks RFC conformance | |
| 16.04 LTS xenial | Ignored patch breaks RFC conformance | |
| 14.04 LTS trusty | Ignored patch breaks RFC conformance | |
| python3.4 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty | Ignored patch breaks RFC conformance | |
| python3.5 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial | Ignored patch breaks RFC conformance | |
| 14.04 LTS trusty | Ignored patch breaks RFC conformance | |
| python3.6 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic | Ignored patch breaks RFC conformance | |
| python3.7 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic | Ignored patch breaks RFC conformance | |
| python3.8 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored patch breaks RFC conformance | |
| 18.04 LTS bionic | Ignored patch breaks RFC conformance | |
| python3.9 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored patch breaks RFC conformance | |
| python3.10 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored patch breaks RFC conformance | |
| python3.11 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored patch breaks RFC conformance | |
| python3.12 | 25.10 questing | Not in release |
| 24.04 LTS noble | Ignored patch breaks RFC conformance | |
| 22.04 LTS jammy | Not in release | |
| python3.13 | 25.10 questing | Ignored patch breaks RFC conformance |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| python3.14 | 25.10 questing | Ignored patch breaks RFC conformance |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
vyomydv
CVE patch breaks conformance with RFC 9051 - Internet Message Access Protocol (IMAP). Initial patch published in USN-8018-1 has been reverted. Python upstream also hasn't backported this patch to the upstream supported releases
References
Related Ubuntu Security Notices (USN)
- USN-8018-1
- Python vulnerabilities
- 5 February 2026
- USN-8018-2
- Python regression
- 9 March 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-15366
- https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45
- https://github.com/python/cpython/issues/143921
- https://github.com/python/cpython/pull/143922
- https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
- https://bugs.launchpad.net/bugs/2143706