CVE-2026-22702 — Link Following in Virtualenv

CWE-59 — Link Following CWE-362 — Race Condition8 documents7 sources

Severity

4.5MEDIUMNVD

EPSS

0.0%

top 97.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypa Virtualenv Virtualenv

Timeline

PublishedJan 10

Latest updateJan 13

Description

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.0 | Impact: 3.4

Affected Packages3 packages

▶CVEListV5pypa/virtualenv< 20.36.1

▶NVDvirtualenv/virtualenv< 20.36.1

▶PyPIvirtualenv/virtualenv< 20.36.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

virtualenv Has TOCTOU Vulnerabilities in Directory Creation↗2026-01-13

▶

OSV

virtualenv Has TOCTOU Vulnerabilities in Directory Creation↗2026-01-13

▶

CVEList

virtualenv Has TOCTOU Vulnerabilities in Directory Creation↗2026-01-10

▶

OSV

CVE-2026-22702: virtualenv is a tool for creating isolated virtual python environments↗2026-01-10

▶

📋Vendor Advisories

Red Hat

virtualenv: virtualenv: Local attacker can redirect file operations via TOCTOU race condition↗2026-01-10

▶

Debian

CVE-2026-22702: python-virtualenv - virtualenv is a tool for creating isolated virtual python environments. Prior to...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22702 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶