PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11940 Python Software Foundation CVE debrief

CVE-2026-11940 is a high-severity vulnerability in the Python tarfile module's extractall() function. The vulnerability allows for out-of-destination file reads or writes by bypassing the 'data' or 'tar' filter through a crafted archive. This is achieved by a hardlink referencing a symlink stored at a deeper name than the hardlink itself, permitting a relative target to escape the destination directory. This issue is an incomplete fix of CVE-2025-4330.

Vendor
Python Software Foundation
Product
CPython
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-23
Advisory published
2026-06-23
Advisory updated
2026-06-23

Who should care

Developers and administrators using the Python tarfile module, especially those handling archives from untrusted sources, should be aware of this vulnerability. The vulnerability's high severity (CVSS score of 7.8) indicates a significant risk of exploitation. Users of Python applications that extract tar archives should ensure they are using a patched version of the Python standard library.

Technical summary

The tarfile.extractall() function in Python's standard library has a vulnerability that allows for a bypass of the 'data' or 'tar' filter. This is achieved through a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. When extracting, the fallback validation checks the symlink at its archived location but recreates it at the hardlink's shallower path. This allows a relative target to escape the destination directory, enabling out-of-destination file reads or writes. The vulnerability is an incomplete fix of CVE-2025-4330.

Defensive priority

This vulnerability has a high CVSS score of 7.8, indicating a high severity. Immediate attention is required to patch vulnerable systems and ensure that archives from untrusted sources are handled securely.

Recommended defensive actions

  • Apply the official patch from the Python maintainers as soon as possible.
  • Ensure that all Python applications handling tar archives from untrusted sources are updated to use a patched version of the Python standard library.
  • Implement additional security measures for handling archives, such as validating archive contents before extraction and monitoring for suspicious archive handling activities.
  • Consider using alternative archive handling libraries with built-in security features.
  • Regularly review and update the Python environment to ensure all known vulnerabilities are patched.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Multiple references from the Python GitHub repository and mailing list indicate active investigation and discussion of the issue. However, specific details about the vulnerability's impact and exploitation are limited, suggesting a need for further analysis and monitoring.

Official resources

This article is AI-assisted and based on the supplied source corpus.