CVE-2026-22702
Description
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-22702
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-22702.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 20.36.1+ds-1 |
| debian | sid | fixed | 20.36.1+ds-1 |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | virtualenv | <20.36.1 | 20.36.1 |
References
- https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
- https://nvd.nist.gov/vuln/detail/CVE-2026-22702
- https://github.com/pypa/virtualenv/pull/3013
- https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc
- https://github.com/pypa/virtualenv
- https://www.suse.com/security/cve/CVE-2026-22702.html
- https://security-tracker.debian.org/tracker/CVE-2026-22702
Verify integrity in audit chain (admin only). AS-IS.