Description
To allow builds of Python to be run from an in-tree layout (rather than
an installed file layout), the VPATH variable is defined at build time
and used to locate certain landmarks - specifically,
Modules/setup.local. When this landmark is found relative to VPATH
relative to the executable, Python assumes it is running in a source
tree and generates a different default sys.path. This code remains in
release builds, so that release-ready builds can be built in-tree.

On Windows, since builds are written to 'PCbuild/', the value of
VPATH is set to '..\..', which results in a landmark of
'..\..\Modules\setup.local'. This path is outside the install directory
of Python, and may have different permissions, potentially allowing a
low-privilege user to create the landmark and an alternative `Lib`
folder that will be discovered by an otherwise restricted install.

Such a setup occurs with the legacy default install location for all
users (in the now superseded EXE installer), due to how Windows allows
all users to create folders in the root directory of their OS drive.

Our recommended mitigation on Windows is to migrate away from the
legacy installer and use the new [Python install
manager](https://www.python.org/downloads/latest/pymanager/) to install
for the current user. Installs where the directory two levels above the
Python installation directory have equivalent permissions are unaffected
(in general, a per-user install cannot be modified at all by other
users, removing any escalation of privilege risk, and could be directly
modified by a privileged user, making the potential tampering
irrelevant). Alternative mitigations might include preemptively creating
and restricting access to a `Modules` directory. Be aware that only 3.13
and 3.14 will receive updated legacy installers - earlier fixes are only
provided as sources.

Platforms other than Windows allow VPATH to be overridden, but as they
don't usually use a separated directory in the build for binaries, are
unlikely to have a landmark reference outside of the install directory.

The landmark detection involving VPATH is a fallback for when a more
specific landmark - .\pybuilddir.txt - is absent, and was included for
compatibility. Future releases of Python will no longer include the
fallback, and so builds will need to generate or preserve the
pybuilddir.txt file in order to work in-tree. This landmark file has
been generated on Windows since 3.11, and on other platforms for longer.
Published: 2026-06-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from CPython’s handling of the VPATH variable in Windows builds that use the legacy EXE installer. VPATH is set to '..\\..', so the interpreter searches for a "setup.local" landmark outside the installed tree. If a low‑privilege user creates that landmark and an alternative "Lib" directory, CPython will load modules from the attacker‑controlled location, thereby enabling privilege escalation on the Windows system. The flaw is a path‑traversal/abnormal privilege abuse weakness (CWE‑427). It is present in CPython releases starting with 3.11, including upcoming 3.13 and 3.14 updates where legacy installers are modified.

Affected Systems

The issue affects Python Software Foundation CPython on Windows systems that employ the legacy all‑users installer, which places executables in "PCbuild/". The vulnerability applies to CPython 3.11 and newer. On non‑Windows platforms the same VPATH fallback exists but is unlikely to expose an external landmark, limiting the impact to Windows. The flaw disappears when a per‑user installation is used or when the directory two levels above the installation has restrictive permissions.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, while the EPSS score of <1% signals a very low probability of exploitation. The CVE is not listed in the CISA KEV catalog. An attacker must have local access on a Windows machine running a legacy CPython installation and must be able to create files in the root OS directory. Under those conditions, the attacker can inject malicious modules that CPython will load, providing a privilege escalation vector. Because the flaw only triggers with in‑tree builds, the attack surface is limited, but the potential impact of executing arbitrary code as the user running Python is significant.

Generated by OpenCVE AI on June 17, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Use the new Python install manager and perform a per‑user installation instead of the legacy all‑users installer.
  • Avoid use of the legacy installer; remove existing legacy installs or reinstall Python to a per‑user location.
  • Ensure that the directory two levels above the installation has restrictive permissions so that a low‑privilege user cannot create the VPATH landmark.
  • For builds that rely on the VPATH fallback, generate a pybuilddir.txt file in the build tree; future releases will require this file and the fallback will be removed.
  • As a temporary workaround, create an empty Modules directory outside the installation and set access controls to deny write permissions to non‑privileged users.

Generated by OpenCVE AI on June 17, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 20:00:00 +0000


Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
Title CPython >3.11 Insecure Input Validation resulting in privilege escalation
Weaknesses CWE-427
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-06-23T17:55:53.735Z

Reserved: 2026-06-11T17:05:37.519Z

Link: CVE-2026-12003

cve-icon Vulnrichment

Updated: 2026-06-16T19:12:36.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T17:16:31.667

Modified: 2026-06-16T20:16:27.337

Link: CVE-2026-12003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses
  • CWE-427

    Uncontrolled Search Path Element