CVE-2026-22701

EPSS 0.12%
Veröffentlicht 10.01.2026 06:15:52
Zuletzt bearbeitet 05.03.2026 13:50:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tox-dev ≫ Filelock SwPlatformpython Version < 3.20.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	1	4.2	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0

Patch

https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5

Patch

https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw

Patch

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-22701

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22701

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22701

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22701