When a Python TarFile instance has its errorlevel attribute set to 0, the documented behavior is that any archive entries that are filtered out should be ignored during extraction. In the affected CPython releases, however, the extraction logic fails to honor this contract and still writes the filtered members to the target directory. The result is that an attacker can supply a tar archive containing entries that are intended to be skipped, and those entries will nevertheless be extracted, potentially creating or overwriting files on the filesystem. The vulnerability stems from incorrect control flow (CWE‑706) and a faulty use of the filtering mechanism (CWE‑682), leading to unauthorized creation of files and loss of isolation between the archive contents and the application environment.

The flaw resides in CPython’s tarfile module. All CPython versions prior to the patch commit that introduces the fix are considered vulnerable. Red Hat Enterprise Linux 8, 9, and their extended‑service releases (RHEL EUS, RHEL E4S, RHEL EUS Long Life, RHEL TUS) that ship unpatched Python packages are at risk. Because the CVE record does not list specific CPython release numbers, users should identify which Python interpreter they are using and verify whether the version includes the commit that resolves the issue.

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1 % and the absence from the CISA KEV catalog suggest that exploitation is currently rare, but the potential for disruptive file writes remains. The likely attack vector is an application that runs Python code and can set TarFile.errorlevel = 0 while processing a user‑supplied tar archive. Based on the description, it is inferred that an attacker who can control this environment can extract or overwrite files, thereby possibly exposing sensitive data or altering system configuration. Although the exploitation probability is low, the impact of unintended file creation or overwrite warrants timely remediation.