CVE-2026-22701
📋 TL;DR
This CVE describes a TOCTOU race condition vulnerability in the filelock Python package's SoftFileLock implementation. Attackers with local filesystem access can exploit a timing window between permission validation and file creation to manipulate symlinks, potentially causing lock failures or unexpected behavior. This affects Python applications using filelock versions before 3.20.3 for file locking operations.
💻 Affected Systems
- filelock Python package
📦 What is this software?
Filelock by Tox Dev
⚠️ Risk & Real-World Impact
Worst Case
An attacker could cause denial of service by making file locks unreliable, potentially disrupting critical processes that depend on file locking for coordination. In multi-user systems, this could lead to data corruption or race conditions in applications.
Likely Case
Local attackers could cause intermittent lock failures, leading to application errors or unexpected behavior in processes using filelock. This is most likely to manifest as reliability issues rather than direct compromise.
If Mitigated
With proper access controls limiting who can create symlinks in lock file directories, the attack surface is significantly reduced. Applications running with minimal privileges would see limited impact.
🎯 Exploit Status
Exploitation requires precise timing (TOCTOU race condition) and specific permissions to create symlinks. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.20.3
Vendor Advisory: https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw
Restart Required: No
Instructions:
1. Update filelock package: pip install --upgrade filelock>=3.20.3
2. Verify the update: pip show filelock
3. Restart any Python applications using filelock to ensure they load the patched version.
🔧 Temporary Workarounds
Restrict symlink creation
linuxPrevent users from creating symlinks in directories where lock files are stored
chmod -R o-w /path/to/lock/directory
setfacl -R -m u:user:rwx /path/to/lock/directory
Use alternative locking mechanism
allTemporarily switch to a different file locking implementation while waiting for patch
pip install fcntl (Unix only) or use platform-specific locking APIs
🧯 If You Can't Patch
- Implement strict file permissions on lock file directories to prevent unauthorized symlink creation
- Monitor for unexpected symlink creation in lock file directories and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check filelock version: python -c "import filelock; print(filelock.__version__)" and compare to 3.20.3Check Version:
python -c "import filelock; print(filelock.__version__)" or pip show filelock | grep VersionVerify Fix Applied:
Verify version is 3.20.3 or higher and test lock functionality in your application📡 Detection & Monitoring
Log Indicators:
- Unexpected lock acquisition failures
- Permission errors when creating lock files
- Multiple processes accessing locked resources simultaneously
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
Search for: 'filelock error', 'lock acquisition failed', 'permission denied' in application logs where filelock is used