CVE-2026-22702

NameCVE-2026-22702
Descriptionvirtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1125191

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-virtualenv (PTS)bullseye20.4.0+ds-2+deb11u1vulnerable
bookworm20.17.1+ds-1vulnerable
trixie20.31.2+ds-1vulnerable
forky, sid20.36.1+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-virtualenvsource(unstable)20.36.1+ds-11125191

Notes

[trixie] - python-virtualenv <no-dsa> (Minor issue)
[bookworm] - python-virtualenv <no-dsa> (Minor issue)
[bullseye] - python-virtualenv <postponed> (Minor issue, affected directories normally not in world-writable locations)
https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
https://github.com/pypa/virtualenv/pull/3013
Fixed by: https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc (20.36.1)
Search for package or bug name: Reporting problems