CVE-2026-22701
Publication date 10 January 2026
Last updated 4 February 2026
Ubuntu priority
Description
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-filelock | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Fixed 3.13.1-1ubuntu0.1~esm1
|
|
| 22.04 LTS jammy |
Fixed 3.6.0-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Fixed 3.0.12-2ubuntu0.1~esm1
|
|
| 18.04 LTS bionic |
Fixed 3.0.4-1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7999-1
- Filelock vulnerabilities
- 2 February 2026