CVE-2025-15367
Publication date 20 January 2026
Last updated 16 March 2026
Ubuntu priority
Description
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python2.7 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored breaks older behavior | |
| 20.04 LTS focal | Ignored breaks older behavior | |
| 18.04 LTS bionic | Ignored breaks older behavior | |
| 16.04 LTS xenial | Ignored breaks older behavior | |
| 14.04 LTS trusty | Ignored breaks older behavior | |
| python3.4 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty | Ignored breaks older behavior | |
| python3.5 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial | Ignored breaks older behavior | |
| 14.04 LTS trusty | Ignored breaks older behavior | |
| python3.6 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic | Ignored breaks older behavior | |
| python3.7 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic | Ignored breaks older behavior | |
| python3.8 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored breaks older behavior | |
| 18.04 LTS bionic | Ignored breaks older behavior | |
| python3.9 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored breaks older behavior | |
| python3.10 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored breaks older behavior | |
| python3.11 | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored breaks older behavior | |
| python3.12 | 25.10 questing | Not in release |
| 24.04 LTS noble | Ignored breaks older behavior | |
| 22.04 LTS jammy | Not in release | |
| python3.13 | 25.10 questing | Ignored breaks older behavior |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| python3.14 | 25.10 questing | Ignored breaks older behavior |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
vyomydv
Patch potentially breaks older releases as non-printables like tab and space while being disallowed by the RFC are commonly used in passwords. Initial patch published in USN-8018-1 has been reverted. Python upstream also hasn't backported this patch to the upstream supported releases
References
Related Ubuntu Security Notices (USN)
- USN-8018-1
- Python vulnerabilities
- 5 February 2026
- USN-8018-2
- Python regression
- 9 March 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-15367
- https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7
- https://github.com/python/cpython/issues/143923
- https://github.com/python/cpython/pull/143924
- https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/
- https://bugs.launchpad.net/bugs/2143706