Improper EOF Handling in Python's Tarfile Module
CVE-2026-11972

8.2HIGH

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 23 June 2026

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2026-11972?

The tarfile module in Python improperly handles the End Of File (EOF) when files are opened in streaming mode, potentially leading to an infinite parsing loop. This issue can exploit the archive handling process, compromising the integrity of applications relying on this functionality.

Affected Version(s)

CPython 0 < 3.16.0

References

https://github.com/python/cpython/issues/151981

https://github.com/python/cpython/pull/151982

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

Ryan Hileman (https://github.com/lunixbochs)

Petr Viktorin (https://github.com/encukou)

Stan Ulbrych (https://github.com/StanFromIreland)

CVE-2026-11972 Data

.