UBUNTU-CVE-2026-12003

Source
https://ubuntu.com/security/CVE-2026-12003
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-12003
Upstream
Published
2026-06-16T17:16:00Z
Modified
2026-06-24T11:00:16.854914661Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '....', which results in a landmark of '....\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative Lib folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new Python install manager to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a Modules directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.

References

Affected packages

Ubuntu:16.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.23.3-0ubuntu1
0.23.4-0ubuntu2
0.23.4-0ubuntu3
0.23.4-0ubuntu4
0.23.4-0ubuntu5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython",
            "binary_version": "0.23.4-0ubuntu5"
        },
        {
            "binary_name": "cython3",
            "binary_version": "0.23.4-0ubuntu5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:18.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.25.2-2build3
0.26.1-0.3ubuntu1
0.26.1-0.4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython",
            "binary_version": "0.26.1-0.4"
        },
        {
            "binary_name": "cython3",
            "binary_version": "0.26.1-0.4"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:20.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.29.10-0ubuntu1
0.29.13-0ubuntu2
0.29.13-0.1
0.29.14-0.1
0.29.14-0.1ubuntu2
0.29.14-0.1ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython",
            "binary_version": "0.29.14-0.1ubuntu3"
        },
        {
            "binary_name": "cython3",
            "binary_version": "0.29.14-0.1ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:22.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.29.21-1ubuntu3
0.29.21-1ubuntu4
0.29.24-0ubuntu3
0.29.24-2ubuntu1
0.29.28-1ubuntu1
0.29.28-1ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython3",
            "binary_version": "0.29.28-1ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:24.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.29.36-1ubuntu1
0.29.36-1ubuntu2
0.29.36-2ubuntu1
0.29.36-3ubuntu1
0.29.36-3.1ubuntu2
3.*
3.0.7-2ubuntu1
3.0.8-1ubuntu1
3.0.8-1ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython3",
            "binary_version": "3.0.8-1ubuntu3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:25.10
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.0.11+dfsg-2ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython3",
            "binary_version": "3.0.11+dfsg-2ubuntu2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"
Ubuntu:26.04:LTS
cython

Package

Name
cython
Purl
pkg:deb/ubuntu/cython?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.0.11+dfsg-2ubuntu2
3.0.11+dfsg-2ubuntu4
3.0.11+dfsg-2ubuntu5
3.1.6+dfsg-1ubuntu1
3.1.6+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "cython3",
            "binary_version": "3.1.6+dfsg-1ubuntu2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12003.json"