CVE-2026-11972
Awaiting Analysis Awaiting Analysis - Queue

Tarfile Module Infinite Loop via Malformed Archive

Vulnerability report for CVE-2026-11972, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-30

Assigner: Python Software Foundation

Description

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-30
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python tarfile *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Python tarfile module when a file is opened in streaming mode (mode="r|"). The module does not properly handle the end-of-file (EOF) condition, which can cause the archive to be parsed in an infinite loop.

Impact Analysis

The impact of this vulnerability is that processing a tar archive in streaming mode could cause an application to enter an infinite loop, potentially leading to denial of service by consuming excessive CPU resources or causing the application to become unresponsive.

Detection Guidance

This vulnerability occurs when using Python's tarfile module with a file opened in streaming mode (mode="r|"). It causes the tarfile module to enter an infinite loop when handling EOF improperly.

To detect this vulnerability on your system, you can check if your Python environment uses a vulnerable version of the tarfile module (before the fix was applied).

There are no specific network detection commands provided in the resources. However, you can test for the vulnerability by running a Python script that attempts to read a tar archive in streaming mode and observing if it hangs or loops indefinitely.

Example Python command to test for the issue (run in a safe environment):

  • ```python import tarfile with tarfile.open('your_archive.tar', mode='r|') as tar: for member in tar: print(member.name) ```

If this script hangs or loops indefinitely, your tarfile module is likely vulnerable.

Mitigation Strategies

The primary mitigation step is to update Python to a version where the vulnerability has been fixed.

The fix was merged on June 23, 2026, and backported to Python versions 3.10 through 3.15 and later versions.

If updating is not immediately possible, avoid using the tarfile module in streaming mode (mode="r|") to process untrusted or large tar archives.

Monitor for patches or updates from your Python distribution and apply them as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart