CVE-2026-11972 Python Software Foundation CVE debrief

Who should care

Developers and administrators using the Python tarfile module, especially in applications that handle untrusted or user-supplied archives, should be aware of this vulnerability. Additionally, organizations using Python-based systems or services that rely on the tarfile module for archive processing should prioritize patching or mitigating this issue.

Technical summary

The tarfile module in Python does not properly handle end-of-file (EOF) when using streaming mode (mode='r|'). This can cause archive parsing to take exponentially longer, leading to a denial-of-service (DoS) condition. The issue is due to the module's inability to detect and handle EOF correctly, resulting in excessive resource consumption. The vulnerability has a CVSS score of 8.2 and is classified as high severity.

Defensive priority

This vulnerability should be prioritized for patching or mitigation, especially in systems or applications that handle untrusted or user-supplied archives. Developers and administrators should ensure that the tarfile module is updated to a version that includes the fix.

Recommended defensive actions

• Update the Python tarfile module to a patched version.
• Implement input validation and sanitization for archive files.
• Use alternative archive processing libraries or tools.
• Monitor system resources and archive processing times for anomalies.
• Consider implementing rate limiting or resource quotas for archive processing.

Evidence notes

The vulnerability was reported by an unknown vendor and is tracked under the identifier CVE-2026-11972. The NVD entry provides additional details, including the CVSS vector and weaknesses (CWE-252, CWE-606, CWE-770).

Official resources