Summary: USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them. 

OEM	Python
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2026-0865, CVE-2025-15366, CVE-2025-15367
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Python is a widely used high-level programming language that powers many enterprise applications, automation frameworks, DevOps pipelines, web platforms and email-processing services. Many Linux distributions – Ubuntu provide Python runtime packages as core system components. 

Ubuntu released USN-8018-2 to address regressions introduced in the previous security update USN-8018-1. The earlier update attempted to fix vulnerabilities related to email header parsing and input validation but unintentionally introduced compatibility issues affecting IMAP, POP3, and WSGI header processing. 

The new advisory prioritizes the fix for CVE-2026-0865, while also addressing issues related to CVE-2025-15366 and CVE-2025-15367.  

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
WSGI Header Parsing Regression Vulnerability	CVE-2026-0865	Python	Medium	6.5	Updated Python packages
Email Header Injection Vulnerability	CVE-2025-15366	Python	Medium	5.9	Updated Python packages
Improper Email Header Parsing Vulnerability	CVE-2025-15367	Python	Medium	5.9	Updated Python packages

Technical Summary 

These vulnerabilities affect multiple Python versions distributed within Ubuntu systems. 

The original security update introduced patches intended to address email header parsing vulnerabilities. However, those fixes resulted in unintended behavioural regressions. 

The CVE-2026-0865 patch incorrectly rejected horizontal tab characters in WSGI headers, potentially causing web applications relying on Python frameworks to malfunction. 

Additionally, patches for CVE-2025-15366 and CVE-2025-15367 affected IMAP and POP3 email processing behavior, which allow upstream developers to avoid backporting those changes due to compatibility concerns. 

Ubuntu released updated packages to resolve these regressions while maintaining protection against the underlying vulnerabilities. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-0865	Python (multiple Ubuntu packages)	Incorrect rejection of horizontal tabs in WSGI headers after patch	Web application compatibility issues
CVE-2025-15366	Python email parsing library	Improper parsing allowing email header injection	Email spoofing or message manipulation
CVE-2025-15367	Python email processing modules	Improper validation of message headers	Header manipulation in email processing

Affected Packages 

The following Python packages are affected – 

python3.4  python3.5  python3.6  python3.7  python3.8 

python3.10  python3.12  python3.13  python3.14 

Remediation:  

Apply the latest Ubuntu security updates immediately- 

Fixed Package Versions 

Ubuntu Release	Fixed Package Version
Ubuntu 25.10	python3.13 – 3.13.7-1ubuntu0.4 / python3.14 – 3.14.0-1ubuntu0.3
Ubuntu 24.04 LTS	python3.12 – 3.12.3-1ubuntu0.12
Ubuntu 22.04 LTS	python3.10 – 3.10.12-1 22.04.15
Ubuntu 20.04 LTS	python3.8 – 3.8.10-0ubuntu1 20.04.18
Ubuntu 18.04 LTS	Updated ESM packages
Ubuntu 16.04 LTS	Updated ESM packages
Ubuntu 14.04 LTS	Updated ESM packages

If immediate patching is not possible, apply the following temporary mitigations- 

1. Restrict access to email-processing services where Python handles inbound messages. 

2. Validate and sanitize email headers within application logic. 

3. Monitor logs for abnormal IMAP/POP3 parsing errors. 

4. Test Python-based web applications to detect WSGI header parsing issues. 

You can follow the recommendations below as a best practice- 

• Maintain regular patch management for system packages. 

• Monitor Python runtime libraries for security advisories. 

• Implement secure email validation mechanisms within applications. 

• Use application security testing tools to detect input-validation weaknesses. 

• Monitor logs for abnormal email header patterns or parsing failures. 

Conclusion: 
The vulnerabilities addressed in USN-8018-2 highlight the risks associated with improper email header parsing and regression issues in widely used programming libraries such as Python. The primary concern, CVE-2026-0865, affects WSGI header handling and could disrupt web applications, while CVE-2025-15366 and CVE-2025-15367 relate to email header parsing weaknesses. 

Organizations using Python-based applications or email processing services should prioritize updating affected Ubuntu packages to ensure both security and application stability. 

References:  

• USN-8018-2: Python regression | Ubuntu security notices | Ubuntu  

• https://www.suse.com/security/cve/CVE-2026-0865.html