BIT-virtualenv-2026-22702
TOCTOU (Time-of-Check-Time-of-Use) vulnerability in virtualenv (PyPI)
What is BIT-virtualenv-2026-22702 About?
TOCTOU vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker can exploit a race condition to redirect `virtualenv`'s app_data and lock file operations to attacker-controlled locations, leading to cache poisoning, information disclosure, or denial of service. Exploitation requires local access and the ability to win a race condition, making it moderately complex.
Affected Software
Technical Details
The virtualenv application exhibits TOCTOU vulnerabilities during directory creation operations. Specifically, a race condition exists between the check for directory existence and its subsequent creation. An attacker with local filesystem access can leverage this by monitoring virtualenv's operations. During the small window between virtualenv checking if a directory exists and then creating it, the attacker can create a symbolic link (symlink) at the intended target path, pointing to an arbitrary, attacker-controlled location. This manipulates virtualenv into performing operations (like writing app_data or lock files) into an unintended directory, enabling cache poisoning, data exfiltration, or causing denial of service by disrupting lock file semantics.
What is the Impact of BIT-virtualenv-2026-22702?
Successful exploitation may allow attackers to corrupt application caches, disclose sensitive cached data, bypass lock file mechanisms causing concurrent access violations, or lead to denial of service by preventing virtualenv operations.
What is the Exploitability of BIT-virtualenv-2026-22702?
Exploitation requires local access to the system. No specific authentication is explicitly required, but the attacker needs filesystem access. Privilege requirements are low, as standard user permissions to create symlinks in shared temporary directories are sufficient. This is a local attack scenario. The complexity lies in timing the symlink creation to win the race condition, which can be challenging but often achievable programmatically. Risk factors are increased on multi-user systems where untrusted local users have write access to shared temporary directories or if VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-virtualenv-2026-22702?
Available Upgrade Options
- virtualenv
- <20.36.1 → Upgrade to 20.36.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/virtualenv/pull/3013
- https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc
- https://osv.dev/vulnerability/GHSA-597g-3phw-6986
- https://github.com/pypa/virtualenv
- https://github.com/pypa/virtualenv/pull/3013
- https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
- https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc
- https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986
- https://nvd.nist.gov/vuln/detail/CVE-2026-22702
What are Similar Vulnerabilities to BIT-virtualenv-2026-22702?
Similar Vulnerabilities: CVE-2025-68146 , CVE-2020-1492 , CVE-2020-1375 , CVE-2020-10147 , CVE-2021-3965
