CVE-2026-4360

Published: July 4, 2026Last modified: July 13, 2026

Description

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Severity score breakdown

ParameterValue
Base score5.3
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
Integrity impactLOW
Availability impactNONE
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSpython3Fixed (3.11.15-r6)
25 LTSpython3Fixed (3.12.13-r6)
Streampython3Fixed (3.14.5-r5)
Hardened Containers23 LTSpython3Vulnerable (3.11.3-r0)
25 LTSpython3Fixed (3.12.13-r6)
Streampython3Fixed (3.14.5-r5)

References

ON THIS PAGE