Python security fixes: CVE-2026-12003,11940,0864

[Joe Locash]

3 CVE's have been fixed in Python recently:

There is a MODERATE (CVSSv4 5.3) severity vulnerability affecting
CPython up to (and including) 3.11.15, 3.12.13, 3.13.14, 3.14.6 and
3.15.0b2.

To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.

On Windows, since builds are written to 'PCbuild/<arch>', the value of
VPATH is set to '..\..', which results in a landmark of
'..\..\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative Lib
folder that will be discovered by an otherwise restricted install.

Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.

**Our recommended mitigation** on Windows is to migrate away from the
legacy installer and use the new Python install
manager to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a Modules directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.

Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.

The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.

Reported by Jake Yamaki, Senior Consultant, Bishop Fox.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-12003
    https://github.com/python/cpython/pull/151545

There is a HIGH severity vulnerability affecting CPython.

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a
crafted archive where a hardlink references a symlink stored at a deeper
name than the hardlink itself.  The extraction fallback validated the
symlink at it's archived location but recreated it at the hardlink's
shallower
path, letting a relative target the filter judged contained escape the
destination directory.  This allowed a malicious tar archive to create a
symlink pointing outside the destination, enabling out-of-destination file
reads or writes. This was an incomplete fix of CVE-2025-4330.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-11940
    https://github.com/python/cpython/pull/151559

There is a MEDIUM severity vulnerability affecting CPython.

When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-0864
    https://github.com/python/cpython/pull/143929