Opened 3 weeks ago
Closed 8 days ago
#5961 closed enhancement (fixed)
Python security fixes: CVE-2026-12003,11940,0864,11972
| Reported by: | Joe Locash | Owned by: | SecurityAdvisory |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
3 CVE's have been fixed in Python recently:
There is a MODERATE (CVSSv4 5.3) severity vulnerability affecting
CPython up to (and including) 3.11.15, 3.12.13, 3.13.14, 3.14.6 and
3.15.0b2.
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.
On Windows, since builds are written to 'PCbuild/<arch>', the value of
VPATH is set to '..\..', which results in a landmark of
'..\..\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative Lib
folder that will be discovered by an otherwise restricted install.
Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.
**Our recommended mitigation** on Windows is to migrate away from the
legacy installer and use the new Python install
manager to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a Modules directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.
Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.
The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Reported by Jake Yamaki, Senior Consultant, Bishop Fox.
Please see the linked CVE ID for the latest information on affected
versions:
https://www.cve.org/CVERecord?id=CVE-2026-12003
https://github.com/python/cpython/pull/151545
There is a HIGH severity vulnerability affecting CPython.
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a
crafted archive where a hardlink references a symlink stored at a deeper
name than the hardlink itself. The extraction fallback validated the
symlink at it's archived location but recreated it at the hardlink's
shallower
path, letting a relative target the filter judged contained escape the
destination directory. This allowed a malicious tar archive to create a
symlink pointing outside the destination, enabling out-of-destination file
reads or writes. This was an incomplete fix of CVE-2025-4330.
Please see the linked CVE ID for the latest information on affected
versions:
https://www.cve.org/CVERecord?id=CVE-2026-11940
https://github.com/python/cpython/pull/151559
There is a MEDIUM severity vulnerability affecting CPython.
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.
Please see the linked CVE ID for the latest information on affected
versions:
https://www.cve.org/CVERecord?id=CVE-2026-0864
https://github.com/python/cpython/pull/143929
Attachments (1)
Change History (5)
comment:1 by , 3 weeks ago
by , 3 weeks ago
| Attachment: | Python-3.14.6-security_fixes-1.patch added |
|---|
Update patch for CVE-2026-11972
comment:2 by , 3 weeks ago
| Summary: | Python security fixes: CVE-2026-12003,11940,0864 → Python security fixes: CVE-2026-12003,11940,0864,11972 |
|---|
There is a MEDIUM severity vulnerability affecting CPython. When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-11972 * https://github.com/python/cpython/pull/151982
comment:3 by , 2 weeks ago
| Owner: | changed from to |
|---|
Fixed at commit 4a56fb5d78.
Leaving open for security advisories.
comment:4 by , 8 days ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Advisory sa-13.0-137 has been issued.
Note:
See TracTickets
for help on using tickets.

Please just keep the version number 1. It's unneeded and puzzling to make version 2 as long as version 1 isn't in the book.