Python for Mac

What's new in this version:

Security:
- xml.parsers.expat: Fixed a crash caused by unbounded C recursion when converting deeply nested XML content models with ElementDeclHandler(). This addresses CVE 2026-4224
- Reject control characters in http.cookies.Morsel update() and js_output(). This addresses CVE 2026-3644
- Fixes CVE 2026-2297 by ensuring that SourcelessFileLoader uses io.open_code() when opening .pyc files
- Disallow usage of control characters in status in wsgiref.handlers to prevent HTTP header injections.
- Reject leading dashes in URLs passed to webbrowser.open()

Core and Builtins:
- Fix an unlikely crash when parsing an invalid type comments for function parameters. Found by OSS Fuzz in #492782951
- Initialize _PyInterpreterFrame.visited when copying interpreter frames so incremental GC does not read an uninitialized byte from generator and frame-object copies
- Fix a crash in __get__() for METH_METHOD descriptors when an invalid (non-type) object is passed as the second argument.
- Fixed several error handling issues in the _remote_debugging module, including safer validation of remote int objects, clearer asyncio task chain failures, and cache cleanup fixes that avoid leaking or double-freeing metadata on allocation failure.
- Fix a bug which could cause constant values to be partially corrupted in AArch64 JIT code. This issue is theoretical, and hasn’t actually been observed in unmodified Python interpreters
- Fixed a memory leak in SyntaxError when re-initializing it
- Fixed reference leaks in socket when audit hooks raise exceptions in socket.getaddrinfo() and socket.sendto()
- Fix potential Undefined Behavior in PyUnicodeWriter_WriteASCII() by adding a zero-length check.
- Fix wrong type in _Py_atomic_load_uint16 in the C11 atomics backend (pyatomic_std.h), which used a 32-bit atomic load instead of 16-bit. Found by Mohammed Zuhaib
- Fix repr() for lists and tuples containing NULLs
- Handle properly memory allocation failures on str and float opcodes.
- Fix free-threading scaling bottleneck in sys.intern() and PyObject_SetAttr() by avoiding the interpreter-wide lock when the string is already interned and immortalized
- python --help-env sections are now sorted by environment variable name
- python --help-xoptions is now sorted by -X option name
- Fix GC tracking in structseq.__replace__()
- Fix out-of-bounds access when invoking faulthandler on a CPython build compiled without support for VLAs
- Avoid a pathological case where repeated calls at a specific stack depth could be significantly slower
- Improve scaling of classmethod() and staticmethod() calls in the free-threaded build by avoiding the descriptor __get__ call
- Fix an unlikely crash in the parser when certain errors were erroneously not propagated. Found by OSS Fuzz in #491369109
- Improve scaling of type attribute lookups in the free-threaded build by avoiding contention on the internal type lock
- Fix SystemError when __classdict__ or __conditional_annotations__ is in a class-scope inlined comprehension. Found by OSS Fuzz in #491105000
- Make bytearray.resize() thread-safe in the free-threaded build by using a critical section and calling the lock-held variant of the resize function
- Fixed a memory leak in the free-threaded build where mimalloc pages could become permanently unreclaimable until the owning thread exited
- In the free threading build, skip the stop-the-world pause when reassigning __class__ on a newly created object
- Fix a crash in os.pathconf() when called with -1 as the path argument
- In free-threaded build, fix race condition when calling __sizeof__() on a lis
- Fix reference leaks in various unusual error scenarios
- Fixed a SystemError in the parser when an encoding cookie (for example, UTF-7) decodes to carriage returns (r). Newlines are now normalized after decoding in the string tokenize.
- Fix use-after-free in dict.clear() when the dictionary values are embedded in an object and a destructor causes re-entrant mutation of the dictionary
- Fix compiler assertion fail when a type parameter bound contains an invalid expression in a conditional block
- Fix a crash in the free-threaded build when the dictionary argument to str.maketrans() is concurrently modified
- Fix heap buffer overflow in the parser found by OSS-Fuzz
- Fix a crash in fork child process when perf support is enabled
- Fix undefined behavior in the lexer when start and multi_line_start pointers are NULL in _PyLexer_remember_fstring_buffers() and _PyLexer_restore_fstring_buffers(). The NULL pointer arithmetic (NULL - valid_pointer) is now guarded with explicit NULL checks
- Fix interaction of the Tachyon profiler and ctypes and other modules that load the Python shared library (if present) in an independent map as this was causing the mechanism that loads the binary information to be confused.
- Fix crash when importing a module whose PyInit function raises an exception from a subinterpreter
- Align the QSBR thread state array to a 64-byte cache line boundary to avoid false sharing in the free-threaded build
- Fix potential deadlock when using critical sections during stop-the-world pauses in the free-threaded build
- Fix data races in the free-threaded build when reading frame object attributes while another thread is executing the frame
- Fix a crash when calling SimpleNamespace.__replace__() on non-namespace instances.
- Fix race condition in importlib where a thread could receive a stale module reference when another thread’s import fails
- Ensure the __repr__() for ExceptionGroup and BaseExceptionGroup does not change when the exception sequence that was original passed in to its constructor is subsequently mutated
- Fix an out of bounds read when a single NUL character is read from the standard input.
-While performing garbage collection, clear weakrefs to unreachable objects that are created during running of finalizers. If those weakrefs were are not cleared, they could reveal unreachable objects
- Fix erroneous clearing of an object’s __dict__ if overwritten at runtime
-Literals using the N{name} escape syntax can now construct CJK ideographs and Hangul syllables using case-insensitive names

Library:
- Fix a regression introduced in 3.14.3 and 3.13.12 where the multiprocessing forkserver start method would fail with BrokenPipeError when the parent process had a very large sys.argv. The argv is now passed to the forkserver as separate command-line arguments rather than being embedded in the -c command string, avoiding the operating system’s per-argument length limit
- itertools: Fix a crash in itertools.groupby() when the grouper iterator is concurrently mutated
- ssl: fix a crash when an SNI callback tries to use an SSL object that has already been garbage-collected.
- Fix annotationlib.get_annotations() hanging indefinitely when called with eval_str=True on a callable that has a circular __wrapped__ chain (e.g. f.__wrapped__ = f). Cycle detection using an id-based visited set now stops the traversal and falls back to the globals found so far, mirroring the approach of inspect.unwrap()
- sqlite3: fix a crash when sqlite3.Connection.create_collation() fails with SQLITE_BUSY.
- sqlite3: properly raise MemoryError instead of SystemError when a context callback fails to be allocated.
- Fix struct.pack('f', float): use PyFloat_Pack4() to raise OverflowError.
- The ensurepip module no longer looks for pip-*.whl wheel packages in the current directory
- Update bundled libexpat to version 2.7.5
- zoneinfo: fix crashes when deleting _weak_cache from a zoneinfo.ZoneInfo subclass
- Limit the size of encodings.search_function() cache. Found by OSS Fuzz in #493449985
- All -X options from the Python command line are now propagated to child processes spawned by multiprocessing, not just a hard-coded subset. This makes the behavior consistent between default “spawn” and “forkserver” start methods and the old “fork” start method. The options that were previously not propagated are: context_aware_warnings, cpu_count, disable-remote-debug, int_max_str_digits, lazy_imports, no_debug_ranges, pathconfig_warnings, perf, perf_jit, presite, pycache_prefix, thread_inherit_context, and warn_default_encoding
- zoneinfo: Fix heap buffer overflow reads from malformed TZif data. Found by OSS Fuzz, issues #492245058 and #492230068
- Request signature during mock autospec with FORWARDREF annotation format. This prevents runtime errors when an annotation uses a name that is not defined at runtime
- Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module. Found by OSS Fuzz in #488466741
- Fix infinite recursion in collections.defaultdict __repr__ when a defaultdict contains itself. Based on analysis by KowalskiThomas in 
- Fix crash in struct when calling repr() or __sizeof__() on an uninitialized struct.Struct object created via Struct.__new__() without calling __init__()
- Detect Android sysconfig ABI correctly on 32-bit ARM Android on 64-bit ARM kerne
- Fix InvalidStateError when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell().
- Now functools is safer in free-threaded build when using keywords in functools.partial(
- venv: Prevent incorrect preservation of SELinux context when copying the Activate.ps1 script. The script inherited the SELinux security context of the system template directory, rather than the destination project directory
- Fix double free and null pointer dereference in unusual error scenarios in hashlib and hmac modules
- hmac: fix a crash when the initialization of the underlying C extension module fails
- hashlib: fix a crash when the initialization of the underlying C extension module fails
- Base64 decoder (see binascii.a2b_base64(), base64.b64decode(), etc) no longer ignores excess data after the first padded quad in non-strict (default) mode. Instead, in conformance with RFC 4648, section 3.3, it now ignores the pad character, “=”, if it is present before the end of the encoded data
- Avoid undefined behaviour from signed integer overflow when parsing format strings in the struct module
- Fix crash in xml.parsers.expat.xmlparser.ExternalEntityParserCreate() when an allocation fails. The error paths could dereference NULL handlers and double-decrement the parent parser’s reference count
-Fix unicodedata.decomposition() for Hangul characters
- Fix a memory leak in atexit.register().
- Fix data races in io.IncrementalNewlineDecoder in the free-threaded build
- Make collections.deque copy atomic in the free-threaded build
- Added missing explanations for some parameters in glob.glob() and glob.iglob()
- Fixed a use-after-free in ssl when SSL_new() returns NULL in newPySSLSocket(). The error was reported via a dangling pointer after the object had already been freed
- Fix argparse.ArgumentParser to be pickleable
- Fix inconsistent display of long multiline pasted content in the REPL
- Fix the folding of headers by the email library when RFC 2047 encoded words are used. Now whitespace is correctly preserved and also correctly added between adjacent encoded words. The latter property was broken by the fix for -which mostly fixed previous failures to preserve whitespace
-Fixed a hang on Windows in the tempfile module when trying to create a temporary file or subdirectory in a non-writable directory
- multiprocessing.freeze_support() no longer sets the default start method as a side effect, which previously caused a subsequent multiprocessing.set_start_method() call to raise RuntimeError
- Calling repr() on functools.partial() is now safer when the partial object’s internal attributes are replaced while the string representation is being generated
- Bump the version of pip bundled in ensurepip to version 26.0.
- Fix performance regression in asyncio.all_tasks() on free-threaded builds.
- Fix crash in _remote_debugging that caused test_external_inspection to intermittently fail.
- Update bundled libexpat to 2.7.
- Fixed a crash in socket.sendmsg() that could occur if ancillary data is mutated re-entrantly during argument parsing
- Fix a crash in itertools.groupby that could occur when a user-defined __eq__() method re-enters the iterator during key comparison
- Fix a crash in _interpchannels.list_all() after closing a channel
- Allow scheduler and setpgroup arguments to be explicitly None when calling os.posix_spawn() or os.posix_spawnp().
- Raise TypeError instead of SystemError when the scheduler in os.posix_spawn() or os.posix_spawnp() is not a tuple.
- ssl: fix reference leaks in ssl.SSLContext objects.
- Fix ctypes.CDLL to honor the handle parameter on POSIX systems
- zoneinfo: fix a crash when instantiating ZoneInfo objects for which the internal class-level cache is inconsistent
- Fix a race condition between zoneinfo.ZoneInfo creation and zoneinfo.ZoneInfo.clear_cache() that could raise KeyError
- Fix assertion failure in sqlite3 blob subscript when slicing with indices that result in an empty slice
- Fix asyncio.StreamWriter.start_tls() to transfer buffered data from StreamReader to the SSL layer, preventing data loss when upgrading a connection to TLS mid-stream (e.g., when implementing PROXY protocol support)
- Don’t change tarfile.TarInfo type from AREGTYPE to DIRTYPE when parsing GNU long name or link headers
- Improve AttributeError suggestions for classes with a custom __dir__() method returning a list of unsortable values.
- Get rid of any possibility of a name conflict for named pipes in multiprocessing and asyncio on Windows, no matter how small
-Support lookup for Tangut Ideographs in unicodedata
bpo-40243: Fix unicodedata.ucd_3_2_0.numeric() for non-decimal values.

Documentation:
- Expand argparse documentation for type=bool with a demonstration of the surprising behavior and pointers to common alternatives
- Fix text wrapping and formatting of -X option descriptions in the python(1) man page by using proper roff markup
- Document missing public wave.Wave_write getter methods
- A new “Improve this page” link is available in the left-hand sidebar of the docs, offering links to create GitHub issues, discussion forum posts, or pull requests

Tests:
- The Android testbed’s emulator RAM has been increased from 2 GB to 4 GB
- Fix a race condition in regrtest: make sure that the temporary directory is created in the worker process. Previously, temp_cwd() could fail on Windows if the “build” directory was not created.
- When Python was compiled with system expat older then 2.7.2 but tests run with newer expat, still skip test.test_pyexpat.MemoryProtectionTest

Build:
- The Android testbed can now be built for 32-bit ARM and x86 targets
- The iOS XCframework build script now ensures libpython isn’t included in installed app content, and is more robust in identifying standard library binary content that requires processing
- The Android build script was modified to improve parity with other platform build scripts
- The clean target for the Apple/iOS XCframework build script is now more selective when targeting a single architecture
- When Python build is optimized with GCC using PGO, use -fprofile-update=atomic option to use atomic operations when updating profile information. This option reduces the risk of gcov Data Files (.gcda) corruption which can cause random GCC crashes.

Windows:
- Defers loading of the psapi.dll module until it is used by ctypes.util.dllist()
- Updated bundled version of OpenSSL to 3.0.19
- Fix REPL cursor position on Windows when module completion suggestion line hits console width
C API:
- PyUnicodeWriter_WriteRepr() now supports NULL argument
- Use GCC dialect alternatives for inline assembly in object.h so that the Python headers compile correctly with -masm=intel
- Made PyUnstable_Code_SetExtra(), PyUnstable_Code_GetExtra(), and PyUnstable_Eval_RequestCodeExtraIndex() thread-safe on the free threaded build