CVE-2026-11940
ADVISORY - debianSummary
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself. The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory. This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.
- python3.14
- python3.13
- python3.11
- python3.9
- python2.7
- pypy3 https://github.com/python/cpython/issues/151558 https://github.com/python/cpython/pull/151559 https://github.com/python/cpython/commit/672825e2f36a57e173959b0d9d409d4560dab8df (3.15 branch) https://github.com/python/cpython/commit/79c06bd5c6afa3c440d50faf7ee1b147c8832b4c (3.14 branch) https://github.com/python/cpython/commit/771d12dda5140313db0ac550292987975651bbde (3.13 branch)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in