TOCTOU Vulnerability in virtualenv Affects Python Environment Management
CVE-2026-22702

4.5MEDIUM

Key Information:

Vendor

Pypa

Status
Virtualenv
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22702?

Prior to version 20.36.1, virtualenv is susceptible to Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities that expose it to local attackers. These vulnerabilities enable the execution of symlink-based attacks during directory creation operations. An attacker with local access can leverage the race condition present between directory existence checks and directory creation, potentially rerouting virtualenv's app_data and lock file operations to locations controlled by the attacker. This issue underscores the importance of securing Python development environments and highlights the need for updating to the patched version.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

virtualenv < 20.36.1

References

https://github.com/pypa/virtualenv/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pypa/virtualenv/pull/3013
x_refsource_MISC
https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf...
x_refsource_MISC

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.