Notice: This page displays a fallback because interactive scripts did not run. Possible causes include disabled JavaScript or failure to load scripts or stylesheets.

Menu

Python 3.10.20

Release date: March 3, 2026

This is a security release of Python 3.10

Note: The release you're looking at is Python 3.10.20, a security bugfix release for the legacy 3.10 series. Python 3.14 is now the latest feature release series of Python 3. Get the latest release of 3.14.x here.

Security content in this release

Email and header-related

  • gh-144125: email.generator.BytesGenerator now refuses to serialize headers that are unsafely folded or delimited (see email.policy.Policy.verify_generated_headers); addressing CVE-2024-6923.
  • gh-143935: Fixed comment folding in modern email policies to prevent header injection when very long non-foldable comment text is wrapped.
  • gh-136063: email.message now ensures linear complexity for legacy HTTP parameter parsing.

HTTP, cookies, and URL parsing-related

  • gh-143916: wsgiref.headers.Headers now rejects C0 control characters in fields, values, and parameters.
  • gh-143919: http.cookies.Morsel now rejects control characters in fields and values.
  • gh-143925: data: URL media types now reject control characters.

XML-related

  • gh-144363: Upgraded bundled libexpat to 2.7.4 to fix CVE-2026-24515 and CVE-2026-25210.
  • gh-90949: Added Expat allocation-tracker APIs to xml.parsers.expat parser objects to limit memory amplification from malicious XML input; includes mitigation for CVE-2025-59375.
  • gh-142145: Removed quadratic behavior in xml.dom.minidom node ID cache clearing.

Denial-of-service hardening

  • gh-119342: Fixed a potential memory denial of service in plistlib.
  • gh-119451: Fixed a potential memory denial of service in http.client.
  • gh-119452: Fixed a potential memory denial of service in http.server (CGI server on Windows).
  • gh-136065: Fixed quadratic complexity in os.path.expandvars().

HTML parsing-related

  • gh-137836: Hardened html.parser.HTMLParser with support for additional RAWTEXT/PLAINTEXT elements (plaintext, xmp, iframe, noembed, noframes, optional noscript), improving robust handling of hostile markup.

Core and SSL memory-safety fixes

  • gh-144833: Fixed a use-after-free in ssl when SSL_new() fails.
  • gh-120298: Fixed a use-after-free in list rich comparison handling (list_richcompare_impl) for specially crafted concurrent inputs.
  • gh-120384: Fixed an out-of-bounds access in list slice assignment (list_ass_subscript) under specially crafted concurrent inputs.

No installers

According to the release calendar specified in PEP 619, Python 3.10 is now in the "security fixes only" stage of its life cycle: 3.10 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2026. Python 3.10 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.10.11 was the last full bugfix release of Python 3.10 with binary installers.

Full Changelog

Files

Source release

Download XZ compressed source tarball

Version Operating system Description File size Sigstore GPG SHA-256 checksum
Gzipped source tarball Source release 24.7 MB .sigstore SIG 4ff5fd4c5bab803b935019f3e31d7219cebd6f870d00389cea53b88bbe935d1a
XZ compressed source tarball Source release 18.9 MB .sigstore SIG de6517421601e39a9a3bc3e1bc4c7b2f239297423ee05e282598c83ec0647505