CVE-2026-22701

CVSS v3.1

5.3

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions filelock versions prior to 3.20.3

Description A race condition exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a timing issue between permission validation and file creation. This race condition occurs in the acquire() method between raise on not writable file() and os.open(). An attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.

Recommendations Upgrade to filelock version 3.20.3 or later.

Exploit

Fix

DoS

Link Following

Race Condition

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-362CWE-367

Related Identifiers

AZL-74234

AZL-79235

CVE-2026-22701

GHSA-QMGC-5H2G-MVRW

OESA-2026-1237

OESA-2026-1238

OESA-2026-1239

OESA-2026-1240

OPENSUSE-SU-2026:10043-1

OPENSUSE-SU-2026:20144-1

SUSE-SU-2026:0220-1

SUSE-SU-2026:0335-1

SUSE-SU-2026:20216-1

USN-7999-1

Affected Products

Debian

Linuxmint

Ubuntu

Filelock

CVE-2026-22701

Weakness Enumeration

Related Identifiers

Affected Products

References · 44