Symlink Vulnerability in Python's tarfile Module
CVE-2026-11940
What is CVE-2026-11940?
CVE-2026-11940 is a vulnerability identified within the Python Software Foundation's tarfile module, a vital component used for creating and working with tar archives in Python applications. This vulnerability arises from a flaw in the tarfile.extractall() method, where improper validation of symbolic links can occur during file extraction. Specifically, when an attacker crafts a malicious tar archive that creates hardlinks referencing symlinks, the extraction process fails to correctly validate the symlink's path. This improper handling can result in the symlink being recreated in a location that bypasses directory restrictions, potentially allowing the extraction process to write or read files outside designated directories. Therefore, organizations using this module to handle tar archives may inadvertently expose themselves to significant security risks.
Potential impact of CVE-2026-11940
-
Unauthorized File Access: The vulnerability permits attackers to craft tar archives that manipulate symbolic links to point to files beyond intended directory boundaries. This situation could lead to unauthorized reading of sensitive files that should remain protected, allowing exposure of confidential information.
-
Potential Data Corruption: By enabling out-of-bounds writes, attackers could exploit this vulnerability to overwrite critical files or create malicious files within the system. This risk can lead to data corruption and may adversely affect application performance and stability.
-
Increased Attack Surface: The existence of this vulnerability expands the attack surface for organizations utilizing Python's
tarfilemodule, fostering opportunities for further exploitation. If not addressed, this flaw may be used as a vector for escalating more severe attacks, including deploying malicious code or lateral movement within networks.
Affected Version(s)
CPython 0 < 3.15.0
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
