CVE-2026-22701
TOCTOU Race Condition in Python filelock Causes Lock Failures
Publication date: 2026-01-10
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tox-dev | filelock | to 3.20.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Time-of-Check-Time-of-Use (TOCTOU) race condition in the SoftFileLock implementation of the filelock Python package. It occurs between the permission validation step and the actual creation of the lock file. An attacker with local filesystem access and permission to create symbolic links (symlinks) can exploit this narrow timing window by inserting a symlink at the lock file path after the permission check but before the file is created. This can cause the lock operation to act on an unintended target file or fail, leading to silent lock acquisition failures, denial of service, or unintended file operations on attacker-controlled files. The issue has been fixed by adding the O_NOFOLLOW flag to the file creation call, which prevents following symlinks during lock file creation on platforms that support this flag. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing lock operations to fail or behave unexpectedly. Specifically, it can lead to denial of service, where lock acquisition silently fails, or resource serialization errors where multiple processes acquire locks simultaneously. It can also cause unintended file operations on attacker-controlled files if a symlink is exploited. This can disrupt application behavior relying on file locks, potentially causing data corruption or inconsistent states. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local filesystem race condition involving symlink creation during lock file acquisition, so detection involves monitoring for unexpected symlinks at lock file paths or observing silent lock acquisition failures or denial of service related to filelock usage. There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check for unexpected symlinks in directories where lock files are created using commands like 'find /path/to/lockdir -type l' to list symbolic links. Additionally, monitoring application logs for lock acquisition failures or resource serialization errors may help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the filelock package to version 3.20.3 or later, which patches the vulnerability by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation. If upgrading is not immediately possible, avoid using SoftFileLock in security-sensitive contexts, restrict filesystem permissions to prevent untrusted users from creating symlinks in lock directories (e.g., chmod 700 on lock directories), isolate untrusted processes from lock file paths, and consider using UnixFileLock or WindowsFileLock classes instead of SoftFileLock, as they rely on OS-level locking primitives that are not vulnerable to this issue. [1, 2, 3]