—

CVE-2026-11972EXPLOITEDPATCHED

python software foundation · cpython

tarfile opened in streaming mode mishandles EOF

Description

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.

Affected Products

Vendor	Product	Versions
python software foundation	cpython	0

References

https://github.com/python/cpython/issues/151981(issue-tracking)
https://github.com/python/cpython/pull/151982(patch)
https://mail.python.org/archives/list/security-announce@python.org/thread/AXPSKKTSRKXTTJULW3XSIC74WZNAAPPB/(vendor-advisory)

Related News (3 articles)

Tier A

Microsoft MSRC3h ago

CVE-2026-11972 tarfile opened in streaming mode mishandles EOF

→ No new info (linked only)

Tier B

CERT-FR3d ago

Multiples vulnérabilités dans CPython (25 juin 2026)

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-11972 | Python CPython up to 3.15.x Tarfile return value (Issue 151981)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.16.0

CWECWE-252, CWE-606, CWE-770

PublishedJun 23, 2026

Last enriched4d agov2

Trending Score55

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-12003EXP

CPython >3.11 Insecure Input Validation resulting in privilege escalation

Trending: 67

NONECVE-2026-0864

Configuration Injection via Carriage Return (\r) in write() method

Trending: 39

NONECVE-2026-11940

tarfile extraction filter bypass allows escaping the destination directory

Trending: 32

NONECVE-2026-9669EXP

bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow

Trending: 14

NONECVE-2026-3276EXP

Potential DoS via quadratic complexity in unicodedata.normalize()

Trending: 11

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 23, 2026

Discovered by ZDM

Jun 23, 2026

Updated: description, affectedVersions, severity, activelyExploited

Jun 24, 2026

Actively Exploited

Jun 24, 2026

Patch Available

Jun 24, 2026

Version History

Last enriched 4d ago

v2Tier C4d ago

Updated description with new technical details, added affected version 3.15.x, changed severity to HIGH, and noted that no exploit is available.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v14d ago

Initial creation