From 80d6ec7d4d9b1a5896be93c0c5c99c9200a7f24d Mon Sep 17 00:00:00 2001
From: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
Date: Fri, 12 Jun 2026 22:46:59 +0800
Subject: [PATCH 1/2] gh-151403: Fix use-after-free when an argv item's
 __fspath__ mutates args

---
 .../2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst        | 3 +++
 Modules/_posixsubprocess.c                                | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst

diff --git a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
new file mode 100644
index 00000000000000..4b48f90bb20712
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
@@ -0,0 +1,3 @@
+Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``)
+when an ``argv`` item's :meth:`~object.__fspath__` concurrently mutates the
+``args`` sequence being converted.
diff --git a/Modules/_posixsubprocess.c b/Modules/_posixsubprocess.c
index ddc27c4a5b7356..2aa3923f68e66a 100644
--- a/Modules/_posixsubprocess.c
+++ b/Modules/_posixsubprocess.c
@@ -1090,8 +1090,14 @@ subprocess_fork_exec_impl(PyObject *module, PyObject *process_args,
                 goto cleanup;
             }
             borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
-            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
+            /* borrowed_arg is only borrowed; its __fspath__() may run Python
+               that drops fast_args' last reference to it. */
+            Py_INCREF(borrowed_arg);
+            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0) {
+                Py_DECREF(borrowed_arg);
                 goto cleanup;
+            }
+            Py_DECREF(borrowed_arg);
             PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
         }
 

From b4aff152d04231f54b7d1bf09065e19c763e7c2d Mon Sep 17 00:00:00 2001
From: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
Date: Sat, 13 Jun 2026 23:13:52 +0800
Subject: [PATCH 2/2] gh-151403: Use os.PathLike.__fspath__ reference in NEWS
 to fix docs build

---
 .../next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
index 4b48f90bb20712..ca779ed684e761 100644
--- a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
+++ b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
@@ -1,3 +1,3 @@
 Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``)
-when an ``argv`` item's :meth:`~object.__fspath__` concurrently mutates the
+when an ``argv`` item's :meth:`~os.PathLike.__fspath__` concurrently mutates the
 ``args`` sequence being converted.