CVE-2026-11940

Public on 2026-06-23
Modified on 2026-06-25
Description
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself. 
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory. 
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core python Not Affected
Amazon Linux 2 - Core python3 Not Affected
Amazon Linux 2023 python3.11 2026-07-07 ALAS2023-2026-1930 Fixed
Amazon Linux 2023 python3.12 2026-07-07 ALAS2023-2026-1931 Fixed
Amazon Linux 2023 python3.13 2026-07-07 ALAS2023-2026-1910 Fixed
Amazon Linux 2023 python3.14 2026-07-07 ALAS2023-2026-1929 Fixed
Amazon Linux 2023 python3.9 Pending Fix
Amazon Linux 2 - Python3.8 Extra python38 No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N