Notice: This page displays a fallback because interactive scripts did not run. Possible causes include disabled JavaScript or failure to load scripts or stylesheets.

Menu

Python 3.11.15

Release date: March 3, 2026

This is a security release of Python 3.11

Note: The release you're looking at is Python 3.11.15, a security bugfix release for the legacy 3.11 series. Python 3.14 is now the latest feature release series of Python 3. Get the latest release of 3.14.x here.

Security content in this release

Email and header-related

  • gh-144125: email.generator.BytesGenerator now refuses to serialize headers that are unsafely folded or delimited (see email.policy.Policy.verify_generated_headers); addressing CVE-2024-6923.
  • gh-143935: Fixed comment folding in modern email policies to prevent header injection when very long non-foldable comment text is wrapped.
  • gh-136063: email.message now ensures linear complexity for legacy HTTP parameter parsing.

HTTP, cookies, and URL parsing-related

  • gh-143916: wsgiref.headers.Headers now rejects C0 control characters in fields, values, and parameters.
  • gh-143919: http.cookies.Morsel now rejects control characters in fields and values.
  • gh-143925: data: URL media types now reject control characters.

XML-related

  • gh-144363: Upgraded bundled libexpat to 2.7.4 to fix CVE-2026-24515 and CVE-2026-25210.
  • gh-90949: Added Expat allocation-tracker APIs to xml.parsers.expat parser objects to limit memory amplification from malicious XML input; includes mitigation for CVE-2025-59375.
  • gh-142145: Removed quadratic behavior in xml.dom.minidom node ID cache clearing.

Denial-of-service hardening

  • gh-119342: Fixed a potential memory denial of service in plistlib.
  • gh-119451: Fixed a potential memory denial of service in http.client.
  • gh-119452: Fixed a potential memory denial of service in http.server (CGI server on Windows).
  • gh-136065: Fixed quadratic complexity in os.path.expandvars().

HTML parsing-related

  • gh-137836: Hardened html.parser.HTMLParser with support for additional RAWTEXT/PLAINTEXT elements (plaintext, xmp, iframe, noembed, noframes, optional noscript), improving robust handling of hostile markup.

Core and SSL memory-safety fixes

  • gh-144833: Fixed a use-after-free in ssl when SSL_new() fails.
  • gh-120298: Fixed a use-after-free in list rich comparison handling (list_richcompare_impl) for specially crafted concurrent inputs.
  • gh-120384: Fixed an out-of-bounds access in list slice assignment (list_ass_subscript) under specially crafted concurrent inputs.

No installers

According to the release calendar specified in PEP 664, Python 3.11 is now in the "security fixes only" stage of its life cycle: 3.11 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2027. Python 3.11 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.11.9 was the last full bugfix release of Python 3.11 with binary installers.

Full Changelog

Files

Source release

Download XZ compressed source tarball

Version Operating system Description File size Sigstore GPG SHA-256 checksum
Gzipped source tarball Source release 25.3 MB .sigstore SIG f4de1b10bd6c70cbb9fa1cd71fc5038b832747a74ee59d599c69ce4846defb50
XZ compressed source tarball Source release 19.4 MB .sigstore SIG 272179ddd9a2e41a0fc8e42e33dfbdca0b3711aa5abf372d3f2d51543d09b625