DEBIAN-CVE-2026-22702

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-22702

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-22702.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-22702

Upstream

CVE-2026-22702

Published

2026-01-10T07:16:02.857Z

Modified

2026-01-13T10:14:41.569565Z

Severity

4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

References

https://security-tracker.debian.org/tracker/CVE-2026-22702

Affected packages

Debian:11 / python-virtualenv

Package

Name: python-virtualenv
Purl: pkg:deb/debian/python-virtualenv?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.4.0+ds-2

20.4.0+ds-2+deb11u1

20.4.6+ds-1

20.4.6+ds-2

20.9.0+ds-1

20.10.0+ds-1

20.12.1+ds-1

20.13.0+ds-1

20.13.0+ds-2

20.14.0+ds-1

20.15.0+ds-1

20.16.3+ds-1

20.16.3+ds-2

20.16.3+ds-3

20.16.3+ds-4

20.16.3+ds-4.1

20.16.3+ds-5

20.16.6+ds-1

20.17.1+ds-1

20.19.0+ds-1

20.21.0+ds-1

20.23.0+ds-1

20.23.0+ds-2

20.24.1+ds-1

20.24.6+ds-1

20.24.6+ds-2

20.25.0+ds-1

20.25.0+ds-2

20.25.1+ds-1

20.26.1+ds-1

20.26.2+ds-1

20.26.6+ds-1

20.27.0+ds-1

20.28.0+ds-1

20.29.1+ds-1

20.29.3+ds-1

20.30.0+ds-1

20.30.0+ds-2

20.30.0+ds-3

20.31.2+ds-1

20.33.1+ds-1

20.34.0+ds-1

20.35.3+ds-1

20.35.4+ds-1

20.36.1+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-22702.json"

Debian:12 / python-virtualenv

Package

Name: python-virtualenv
Purl: pkg:deb/debian/python-virtualenv?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.17.1+ds-1

20.19.0+ds-1

20.21.0+ds-1

20.23.0+ds-1

20.23.0+ds-2

20.24.1+ds-1

20.24.6+ds-1

20.24.6+ds-2

20.25.0+ds-1

20.25.0+ds-2

20.25.1+ds-1

20.26.1+ds-1

20.26.2+ds-1

20.26.6+ds-1

20.27.0+ds-1

20.28.0+ds-1

20.29.1+ds-1

20.29.3+ds-1

20.30.0+ds-1

20.30.0+ds-2

20.30.0+ds-3

20.31.2+ds-1

20.33.1+ds-1

20.34.0+ds-1

20.35.3+ds-1

20.35.4+ds-1

20.36.1+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-22702.json"

Debian:13 / python-virtualenv

Package

Name: python-virtualenv
Purl: pkg:deb/debian/python-virtualenv?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.31.2+ds-1

20.33.1+ds-1

20.34.0+ds-1

20.35.3+ds-1

20.35.4+ds-1

20.36.1+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-22702.json"

Debian:14 / python-virtualenv

Package

Name: python-virtualenv
Purl: pkg:deb/debian/python-virtualenv?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.36.1+ds-1

Affected versions

20.*

20.31.2+ds-1

20.33.1+ds-1

20.34.0+ds-1

20.35.3+ds-1

20.35.4+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-22702.json"