Description
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
Published: 2026-06-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Python’s tarfile module, a bug in streaming mode (mode="r|") causes the EOF to be handled incorrectly, making archive parsing continue for an exponentially long period. When a tarfile is processed in this mode, the module fails to stop at the actual end of the archive, leading to excessive CPU utilization and an infinite loop (CWE-835) that persists until system resources are exhausted or a timeout occurs. The impact is a denial of service on the process or the host.

Affected Systems

Python Software Foundation CPython instances that use the tarfile module in streaming mode and are running a version released prior to the issued fix. The specific version is not enumerated in the advisory, but any CPython install where the bug exists until the patch is applied is affected.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The flaw can be triggered by supplying a crafted tar archive that the application reads with tarfile in streaming mode, and it is not listed in CISA’s KEV catalog. Attackers can induce a denial of service by feeding a malformed archive from any source that the vulnerable process ingests, potentially remotely if the process accepts user‑supplied archives over a network. The EPSS score of < 1% indicates a very low but non‑zero probability that the vulnerability will be actively exploited in the wild.

Generated by OpenCVE AI on June 30, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest CPython release that contains the tarfile streaming mode EOF fix.
  • Avoid processing untrusted tar files with streaming mode; use a safer reading mode or restrict input sources.
  • If upgrading immediately is not possible, temporarily disable or refuse to open tar archives with mode="r|", or sanitize input before passing to tarfile.

Generated by OpenCVE AI on June 30, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:00:00 +0000


Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop. When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
References

Wed, 24 Jun 2026 13:00:00 +0000


Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, meaning an archive could be parsed in an infinite loop.
Title tarfile opened in streaming mode mishandles EOF
Weaknesses CWE-252
CWE-606
CWE-770
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-06-30T15:13:21.383Z

Reserved: 2026-06-11T11:35:05.520Z

Link: CVE-2026-11972

cve-icon Vulnrichment

Updated: 2026-06-24T15:34:04.108Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T22:02:45Z

Links: CVE-2026-11972 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T01:30:05Z

Weaknesses
  • CWE-252

    Unchecked Return Value

  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')