CVE-2026-22701
Unknown Unknown - Not Provided
TOCTOU Race Condition in Python filelock Causes Lock Failures

Publication date: 2026-01-10

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22701
EUVD
EUVD-2026-1870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tox-dev filelock to 3.20.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Time-of-Check-Time-of-Use (TOCTOU) race condition in the SoftFileLock implementation of the filelock Python package. It occurs between the permission validation step and the actual creation of the lock file. An attacker with local filesystem access and permission to create symbolic links (symlinks) can exploit this narrow timing window by inserting a symlink at the lock file path after the permission check but before the file is created. This can cause the lock operation to act on an unintended target file or fail, leading to silent lock acquisition failures, denial of service, or unintended file operations on attacker-controlled files. The issue has been fixed by adding the O_NOFOLLOW flag to the file creation call, which prevents following symlinks during lock file creation on platforms that support this flag. [1, 3]

Impact Analysis

This vulnerability can impact you by causing lock operations to fail or behave unexpectedly. Specifically, it can lead to denial of service, where lock acquisition silently fails, or resource serialization errors where multiple processes acquire locks simultaneously. It can also cause unintended file operations on attacker-controlled files if a symlink is exploited. This can disrupt application behavior relying on file locks, potentially causing data corruption or inconsistent states. [1, 3]

Detection Guidance

This vulnerability is a local filesystem race condition involving symlink creation during lock file acquisition, so detection involves monitoring for unexpected symlinks at lock file paths or observing silent lock acquisition failures or denial of service related to filelock usage. There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check for unexpected symlinks in directories where lock files are created using commands like 'find /path/to/lockdir -type l' to list symbolic links. Additionally, monitoring application logs for lock acquisition failures or resource serialization errors may help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include upgrading the filelock package to version 3.20.3 or later, which patches the vulnerability by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation. If upgrading is not immediately possible, avoid using SoftFileLock in security-sensitive contexts, restrict filesystem permissions to prevent untrusted users from creating symlinks in lock directories (e.g., chmod 700 on lock directories), isolate untrusted processes from lock file paths, and consider using UnixFileLock or WindowsFileLock classes instead of SoftFileLock, as they rely on OS-level locking primitives that are not vulnerable to this issue. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22701. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart