Impact
This vulnerability stems from CPython’s handling of the VPATH variable in Windows builds that use the legacy EXE installer. VPATH is set to '..\\..', so the interpreter searches for a "setup.local" landmark outside the installed tree. If a low‑privilege user creates that landmark and an alternative "Lib" directory, CPython will load modules from the attacker‑controlled location, thereby enabling privilege escalation on the Windows system. The flaw is a path‑traversal/abnormal privilege abuse weakness (CWE‑427). It is present in CPython releases starting with 3.11, including upcoming 3.13 and 3.14 updates where legacy installers are modified.
Affected Systems
The issue affects Python Software Foundation CPython on Windows systems that employ the legacy all‑users installer, which places executables in "PCbuild/". The vulnerability applies to CPython 3.11 and newer. On non‑Windows platforms the same VPATH fallback exists but is unlikely to expose an external landmark, limiting the impact to Windows. The flaw disappears when a per‑user installation is used or when the directory two levels above the installation has restrictive permissions.
Risk and Exploitability
The CVSS score is 5.3, indicating medium severity, while the EPSS score of <1% signals a very low probability of exploitation. The CVE is not listed in the CISA KEV catalog. An attacker must have local access on a Windows machine running a legacy CPython installation and must be able to create files in the root OS directory. Under those conditions, the attacker can inject malicious modules that CPython will load, providing a privilege escalation vector. Because the flaw only triggers with in‑tree builds, the attack surface is limited, but the potential impact of executing arbitrary code as the user running Python is significant.
OpenCVE Enrichment