CVE-2026-22702: virtualenv Has TOCTOU Vulnerabilities in Directory Creation

TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv’s app_data and lock file operations to attacker-controlled locations.

Affected versions: All versions up to and including 20.36.1

Affected users: Any user running virtualenv on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where VIRTUALENV_OVERRIDE_APP_DATA points to a user-writable location.

Attack scenarios:

• Cache poisoning: Attacker corrupts wheels or Python metadata in the cache
• Information disclosure: Attacker reads sensitive cached data or metadata
• Lock bypass: Attacker controls lock file semantics to cause concurrent access violations
• Denial of service: Lock starvation preventing virtualenv operations