CVE-2026-12003

Name of the Vulnerable Software and Affected Versions Python (affected versions not specified)

Description On Windows, Python uses the VPATH variable to locate landmarks, such as 'Modules/setup.local', to determine if it is running in a source tree and adjust the default sys.path. In certain configurations, specifically with the legacy EXE installer, the VPATH value '....' results in a landmark path outside the installation directory. Because Windows may allow low-privilege users to create folders in the root directory of the OS drive, an attacker could create the landmark and an alternative Lib folder. This allows the restricted installation to discover and load unauthorized files, potentially leading to a privilege escalation.

Recommendations Migrate from the legacy installer to the Python install manager to perform a per-user installation. Preemptively create and restrict access to a Modules directory.