CVE-2026-22702
TOCTOU Symlink Vulnerability in virtualenv Enables Local Attack
Publication date: 2026-01-10
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| virtualenv | virtualenv | to 20.36.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22702 is a Time-of-Check-Time-of-Use (TOCTOU) vulnerability in the Python tool virtualenv that arises from a race condition during directory creation. The software first checks if a directory exists and then creates it, but between these two steps, an attacker with local access can insert a symbolic link (symlink) to redirect operations to attacker-controlled locations. This affects the creation of app_data and lock file directories, allowing symlink-based attacks that can manipulate cache files and lock files. The vulnerability was fixed by changing the directory creation to an atomic operation using os.makedirs with exist_ok=True, eliminating the race condition. [1, 2, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability allows a local attacker to perform symlink attacks that can lead to cache poisoning (corrupting Python wheels or metadata), information disclosure (accessing sensitive cached data), lock bypass (manipulating lock file behavior to cause concurrency issues), and denial of service (preventing virtualenv operations by lock starvation). These impacts can compromise the integrity, confidentiality, and availability of virtualenv's environment setup on multi-user systems where untrusted users have write access to shared directories. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local TOCTOU race condition in virtualenv's directory creation logic and does not produce network indicators. Detection involves checking the version of virtualenv installed on your system. You can run the command `virtualenv --version` to determine if your version is prior to 20.36.2, which is vulnerable. Additionally, inspecting the virtualenv installation files for the presence of the vulnerable code patterns (check-then-act directory creation) could help, but no specific detection commands for exploitation attempts are provided. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade virtualenv to version 20.36.2 or later, where the issue is fixed by using atomic directory creation calls. As workarounds, ensure that the environment variable VIRTUALENV_OVERRIDE_APP_DATA points to a directory owned by the current user with restricted permissions (mode 0700), avoid running virtualenv in shared writable temporary directories, and use separate user accounts to isolate app_data directories. These steps reduce the risk of symlink-based attacks exploiting the race condition. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, the vulnerability allows local attackers to perform symlink-based attacks that could lead to information disclosure, cache poisoning, and denial of service, which might indirectly affect data confidentiality and integrity. Organizations handling sensitive data under regulations like GDPR or HIPAA should consider the risk of such vulnerabilities as they could potentially lead to unauthorized data access or disruption of services. Applying the patch and following recommended mitigations would help maintain compliance by reducing the risk of data breaches or service interruptions. [3]