Description
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.
Published: 2026-06-23
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Python’s tarfile module, a bug in streaming mode (mode="r|") caused the module to fail to detect end-of-file correctly, leading to an infinite parsing loop. The controlled loop can consume CPU resources until the process terminates or the system becomes unresponsive, effectively degrading availability. The weakness aligns with unchecked return values and unchecked conditions, as well as resource exhaustion when no limit is set.

Affected Systems

Python Software Foundation CPython instances that use the tarfile module in streaming mode and are running a version released prior to the issued fix. The specific version is not enumerated in the advisory, but any CPython install where the bug exists until the patch is applied is affected.

Risk and Exploitability

A CVSS score of 8.2 signals a high severity risk; the vulnerability is exploitable via a crafted tar archive that the application processes with tarfile in streaming mode. The EPSS score is currently unavailable, and the flaw is not listed in CISA’s KEV catalog. Attack can trigger the denial of service by providing malformed archives from any source the vulnerable application reads, making the vector likely local or remote depending on exposure.

Generated by OpenCVE AI on June 24, 2026 at 02:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CPython release that contains the tarfile streaming mode EOF fix.
  • Avoid processing untrusted tar files with streaming mode; use a safer reading mode or restrict input sources.
  • If upgrading immediately is not possible, temporarily disable or refuse to open tar archives with mode="r|", or sanitize input before passing to tarfile.

Generated by OpenCVE AI on June 24, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.
Title tarfile opened in streaming mode mishandles EOF
Weaknesses CWE-252
CWE-606
CWE-770
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-06-23T22:02:45.434Z

Reserved: 2026-06-11T11:35:05.520Z

Link: CVE-2026-11972

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-252

    Unchecked Return Value

  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-770

    Allocation of Resources Without Limits or Throttling