Skip to main content

CPython tarfile EUVDEUVD-2026-38630

| CVE-2026-11972 HIGH
Unchecked Return Value (CWE-252)
2026-06-23 PSF GHSA-wqxf-pjxh-hh4h
8.2
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable parsers accept attacker tar bytes with no auth or UI; only availability is affected via CPU exhaustion, hence C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 22:45 vuln.today
Analysis Generated
Jun 23, 2026 - 22:45 vuln.today

DescriptionCVE.org

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.

AnalysisAI

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted tar archive opened in streaming mode (mode='r|'). The seek() routine fails to detect EOF and keeps requesting bufsize reads of empty data when a TarInfo header declares a size far larger than the actual stream, exhausting CPU on any Python service that parses untrusted tar streams. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify endpoint parsing tar streams
Delivery
Craft tar header with size 2^64
Exploit
Submit archive to streaming endpoint
Install
tarfile seek() loops on EOF reads
C2
CPU pinned, worker hangs
Execute
Repeat to exhaust workers
Impact
Service-wide denial of service

Vulnerability AssessmentAI

Exploitation Requires the target application to call tarfile.open() in streaming mode (mode='r|', including 'r|gz', 'r|bz2', 'r|xz') against attacker-controlled archive bytes, and to subsequently invoke an API that triggers seek() over member data (getmembers(), iteration, or extractall). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 is 8.2 reflecting network attack vector, low complexity, no privileges or UI, with high availability impact and no confidentiality or integrity impact (AV:N/AC:L/AT:P/PR:N/UI:N/VA:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads or serves a tiny tar archive containing a single header with TarInfo.size set to a huge value (e.g. 2^64) and no payload bytes; the victim service opens it with tarfile.open(fileobj=..., mode='r|') and calls getmembers() or iterates members, at which point _Stream.seek() loops forever reading empty bytes and pins a CPU core. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from https://github.com/python/cpython/pull/151982, which adds a break when _Stream.seek() reads an empty buffer, and watch the PSF security-announce thread (https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/) for the tagged Python point releases that include it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production and development Python services that utilize the tarfile module, particularly those processing external or untrusted tar archives. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected

Share

EUVD-2026-38630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy