Python 3.13.13

What's new in this version:

macOS:
- Update macOS installer to use OpenSSL 3.0.19
- Invoke osascript with absolute path in webbrowser and turtledemo

Windows:
- Updated bundled version of OpenSSL to 3.0.19
- Fix REPL cursor position on Windows when module completion suggestion line hits console width

Tests:
- The Android testbed’s emulator RAM has been increased from 2 GB to 4 GB
- Fix a race condition in regrtest: make sure that the temporary directory is created in the worker process. Previously, temp_cwd() could fail on Windows if the “build” directory was not created
- When Python was compiled with system expat older then 2.7.2 but tests run with newer expat, still skip test.test_pyexpat.MemoryProtectionTest

Security:
- xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224
- Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644
- Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files
- Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections
- Reject leading dashes in URLs passed to webbrowser.open()

Library:
- Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit
- itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated
- ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected
- sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY
- sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated
- Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError
- The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory
- Update bundled libexpat to version 2.7.5
- zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass
- Limit the size of encodings.search_function() cache
- zoneinfo: Fix heap buffer overflow reads from malformed TZif data
- Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module
- Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in gh-145492
- Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__()
- Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kerne
- Fix null pointer dereference in unusual error scenario in hashlib
- Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell()
- venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory
- hashlib: fix a crash when the initialization of the underlying C extension module fails
- Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data
- Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module
- Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count
-Fix unicodedata.decomposition() for Hangul characters
- Added missing explanations for some parameters in glob.glob() and glob.iglob()
- Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed
- Fix inconsistent display of long multiline pasted content in the REPL
- Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between adjacent encoded words. The latter property was broken by the fix for gh-92081, which mostly fixed previous failures to preserve whitespace
- Fixed a hang on Windows in the tempfile module when trying to create a temporary file or subdirectory in a non-writable directory
- multiprocessing.freeze_support() no longer sets the default start method as a side effect, which previously caused a subsequent multiprocessing.set_start_method() call to raise RuntimeError
- Calling repr() on functools.partial() is now safer when the partial object’s internal attributes are replaced while the string representation is being generated
- Bump the version of pip bundled in ensurepip to version 26.0.
- Update bundled libexpat to 2.7.
- Fixed a crash in socket.sendmsg() that could occur if ancillary data is mutated re-entrantly during argument parsing
- Fix data race in functools.partial() in the free threading build
- Fix a crash in itertools.groupby that could occur when a user-defined __eq__() method re-enters the iterator during key comparison
- Fix a crash in _interpchannels.list_all() after closing a channel
- Allow scheduler and setpgroup arguments to be explicitly None when calling os.posix_spawn() or os.posix_spawnp()
- Raise TypeError instead of SystemError when the scheduler in os.posix_spawn() or os.posix_spawnp() is not a tuple
- Fix ctypes.CDLL to honor the handle parameter on POSIX systems
- zoneinfo: fix a crash when instantiating ZoneInfo objects for which the internal class-level cache is inconsistent
- Fix a race condition between zoneinfo.ZoneInfo creation and zoneinfo.ZoneInfo.clear_cache() that could raise KeyError
- Fix assertion failure in sqlite3 blob subscript when slicing with indices that result in an empty slice
- Fix asyncio.StreamWriter.start_tls() to transfer buffered data from StreamReader to the SSL layer, preventing data loss when upgrading a connection to TLS mid-stream (e.g., when implementing PROXY protocol support)
- Don’t change tarfile.TarInfo type from AREGTYPE to DIRTYPE when parsing GNU long name or link headers
- Improve AttributeError suggestions for classes with a custom __dir__() method returning a list of unsortable values
- Fix SyntaxError when inspect.get_annotations(f, eval_str=True) is called on a function annotated with a PEP 646 star_expressio
- Get rid of any possibility of a name conflict for named pipes in multiprocessing and asyncio on Windows, no matter how small
- Support lookup for Tangut Ideographs in unicodedata
- bpo-40243: Fix unicodedata.ucd_3_2_0.numeric() for non-decimal values

Documentation:
- Expand argparse documentation for type=bool with a demonstration of the surprising behavior and pointers to common alternatives
- Document missing public wave.Wave_write getter methods

Core and Builtins:
- Fix an unlikely crash when parsing an invalid type comments for function parameters
- Fix a crash in __get__() for METH_METHOD descriptors when an invalid (non-type) object is passed as the second argument
- Fix a bug which could cause constant values to be partially corrupted in AArch64 JIT code. This issue is theoretical, and hasn’t actually been observed in unmodified Python interpreters
- Fixed a memory leak in SyntaxError when re-initializing it
- Fixed reference leaks in socket when audit hooks raise exceptions in socket.getaddrinfo() and socket.sendto()
- Fix wrong type in _Py_atomic_load_uint16 in the C11 atomics backend (pyatomic_std.h), which used a 32-bit atomic load instead of 16-bit
- Fix repr() for lists containing NULLs
- python --help-env sections are now sorted by environment variable name
- Fix GC tracking in structseq.__replace__()
- Avoid a pathological case where repeated calls at a specific stack depth could be significantly slower
- Fix an unlikely crash in the parser when certain errors were erroneously not propagated
- Fix SystemError when __classdict__ or __conditional_annotations__ is in a class-scope inlined comprehension
- Fix a crash in os.pathconf() when called with -1 as the path argument
- Fixed a SystemError in the parser when an encoding cookie (for example, UTF-7) decodes to carriage returns (\r). Newlines are now normalized after decoding in the string tokenizer
- Patch by Pablo Galindo
- Fix use-after-free in dict.clear() when the dictionary values are embedded in an object and a destructor causes re-entrant mutation of the dictionary
- Fix a bug when calling certain methods at the recursion limit which manifested as a corruption of Python’s operand stack
- Fix heap buffer overflow in the parser found by OSS-Fuzz
- Fix a crash in fork child process when perf support is enabled
- Fix undefined behavior in the lexer when start and multi_line_start pointers are NULL in _PyLexer_remember_fstring_buffers() and _PyLexer_restore_fstring_buffers(). The NULL pointer arithmetic (NULL - valid_pointer) is now guarded with explicit NULL checks
- Fix crash when importing a module whose PyInit function raises an exception from a subinterpreter
- Fix a crash when calling SimpleNamespace.__replace__() on non-namespace instances
- Fix race condition in importlib where a thread could receive a stale module reference when another thread’s import fails
- Fix an out of bounds read when a single NUL character is read from the standard input
-While performing garbage collection, clear weakrefs to unreachable objects that are created during running of finalizers. If those weakrefs were are not cleared, they could reveal unreachable objects
- Fix erroneous clearing of an object’s __dict__ if overwritten at runtime
- Literals using the \N{name} escape syntax can now construct CJK ideographs and Hangul syllables using case-insensitive names

Build:
- The Android testbed can now be built for 32-bit ARM and x86 targets
- The Android build script was modified to improve parity with other platform build scripts
- When Python build is optimized with GCC using PGO, use -fprofile-update=atomic option to use atomic operations when updating profile information. This option reduces the risk of gcov Data Files (.gcda) corruption which can cause random GCC crashes
- Fix AIX build failures caused by incorrect struct alignment in _Py_CODEUNIT and _Py_BackoffCounter by adding AIX-specific #pragma pack directives