TOCTOU Vulnerability in virtualenv Affects Python Environment Management
CVE-2026-22702
4.5MEDIUM
What is CVE-2026-22702?
Prior to version 20.36.1, virtualenv is susceptible to Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities that expose it to local attackers. These vulnerabilities enable the execution of symlink-based attacks during directory creation operations. An attacker with local access can leverage the race condition present between directory existence checks and directory creation, potentially rerouting virtualenv's app_data and lock file operations to locations controlled by the attacker. This issue underscores the importance of securing Python development environments and highlights the need for updating to the patched version.
Affected Version(s)
virtualenv < 20.36.1
