HCE3-SA-2026-0033 Important HCE 3.0 Security Fix(es): When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. (CVE-2025-13836) When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues (CVE-2025-13837) If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. (CVE-2025-6075) When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. (CVE-2025-12084) The _x27;zipfile_x27; module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the _x27;zipfile_x27; module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. (CVE-2025-8291) HCE 3.0 python3-3.11.6-10.r15.hce3.x86_64.rpm python3-devel-3.11.6-10.r15.hce3.x86_64.rpm python3-fgo-3.11.6-10.r15.hce3.x86_64.rpm python3-help-3.11.6-10.r15.hce3.noarch.rpm python3-unversioned-command-3.11.6-10.r15.hce3.x86_64.rpm python3-3.11.6-10.r15.hce3.aarch64.rpm python3-devel-3.11.6-10.r15.hce3.aarch64.rpm python3-fgo-3.11.6-10.r15.hce3.aarch64.rpm python3-unversioned-command-3.11.6-10.r15.hce3.aarch64.rpm