CVE-2026-22701

EUVD-2026-1870
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
tox-devfilelock
𝑥
< 3.20.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-filelock
bookworm
no-dsa
bullseye
postponed
forky
3.29.4-1
fixed
sid
3.29.5-1
fixed
trixie
no-dsa
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
python-filelock-doc
Amazon Linux 2023
0:3.3.1-1.amzn2023.0.2
fixed
python3-filelock
Amazon Linux 2023
0:3.3.1-1.amzn2023.0.2
fixed
python3.13-filelock
Amazon Linux 2023
0:3.18.0-1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
python-filelock
Azure Linux 3.0
0:3.20.3-1.azl3
fixed