CVE-2026-11940

HIGH EPSS 44.2%
Published Jun 23, 20261w ago · Modified Jun 23, 20261w ago
7.8 CVSS 4.0
High
Find Similar
Published Jun 23, 2026 1w ago
Last Modified Jun 23, 2026 1w ago

Description

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.

CVSS Details

Base Score
7.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
44.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-59

References 7

  • github.com https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f
  • github.com https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df
  • github.com https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde
  • github.com https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c
  • github.com https://github.com/python/cpython/issues/151558
  • github.com https://github.com/python/cpython/pull/151559
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/LD6QIISNQFQYOIEPJNEUIPV7S3V76FZH/

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.