CVE-2026-11972
Published: June 26, 2026Last modified: July 3, 2026
Description
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.15-r5) |
| 25 LTS | python3 | Fixed (3.12.13-r5) | |
| Stream | python3 | Fixed (3.14.5-r4) | |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.15-r5) |
| 25 LTS | python3 | Fixed (3.12.13-r5) | |
| Stream | python3 | Fixed (3.14.5-r4) |
References
- https://github.com/python/cpython/commit/3f031d431f80668e14f3bc066bbf4369cd9281b9
- https://github.com/python/cpython/commit/4ce6bf7c8aa7725828a38981c306f214c1f29365
- https://github.com/python/cpython/commit/7f0dc59c9a70f8f3b4da33d7c4a2ba552a7acc21
- https://github.com/python/cpython/commit/e86666c9dd256d52d0fbef6feb1ea4a51768fdec
- https://github.com/python/cpython/commit/eb63c0f94dfcbea7fda8eab6213818e134d67192
- https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896
- https://github.com/python/cpython/issues/151981
- https://github.com/python/cpython/pull/151982
- https://mail.python.org/archives/list/[email protected]/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/