Description

filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.

INFO

Published Date :

2026-01-10T05:59:28.872Z

Last Modified :

2026-01-12T16:45:50.638Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22701 vulnerability.

Vendors Products
Tox-dev
  • Filelock
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22701.

URL Resource
https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0 cve-icon cve-icon
https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 cve-icon cve-icon
https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact