CVE-2026-22702

CVSS v3.1

4.5

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions virtualenv versions prior to 20.36.1

Description virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, Time-of-Check-Time-of-Use (TOCTOU) vulnerabilities exist in virtualenv that allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app data and lock file operations to attacker-controlled locations. The vulnerability affects the directory creation operations.

Recommendations Update virtualenv to version 20.36.1 or later.

Exploit

Fix

Race Condition

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-59

Related Identifiers

AZL-74210

AZL-74237

BIT-VIRTUALENV-2026-22702

CVE-2026-22702

GHSA-597G-3PHW-6986

OPENSUSE-SU-2026:10055-1

OPENSUSE-SU-2026:20086-1

SUSE-SU-2026:0233-1

SUSE-SU-2026:20129-1

Affected Products

Debian

Virtualenv

CVE-2026-22702

Weakness Enumeration

Related Identifiers

Affected Products

References · 31