CVE-2026-4360
Published: July 4, 2026Last modified: July 13, 2026
Description
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.15-r6) |
| 25 LTS | python3 | Fixed (3.12.13-r6) | |
| Stream | python3 | Fixed (3.14.5-r5) | |
| Hardened Containers | 23 LTS | python3 | Vulnerable (3.11.3-r0) |
| 25 LTS | python3 | Fixed (3.12.13-r6) | |
| Stream | python3 | Fixed (3.14.5-r5) |
References
- https://github.com/python/cpython/commit/5e0ef3f1afe892e4f64eb83368db57ac4c40cba0
- https://github.com/python/cpython/commit/7b57e8d51446297b8c7c482d224bc5f1938e4301
- https://github.com/python/cpython/commit/7ccdbaba2c54250a70d7f25632152df7655a5e0a
- https://github.com/python/cpython/commit/d2b2f5eacab4dd48446b63340613b05dcbbf0b44
- https://github.com/python/cpython/commit/eee3ddf0ca10283cc7fea724aae9cd8665f8d15e
- https://github.com/python/cpython/issues/151987
- https://github.com/python/cpython/pull/151988
- https://mail.python.org/archives/list/[email protected]/thread/TWZW2PC2AZOV6FENIHFSRC63OM7MBGSB/