CVE-2026-22702: TOCTOU Race Condition in virtualenv Enables Symlink-Based Directory Attacks

A Time-of-Check-Time-of-Use (TOCTOU) vulnerability has been identified in the virtualenv package (versions up to and including 20.36.1), potentially allowing local attackers to perform symlink-based directory manipulation attacks. The flaw exists in how virtualenv handles directory creation operations, creating a race condition between existence checks and file creation that could redirect app_data and lock file operations to attacker-controlled locations.

The vulnerability specifically targets multi-user systems where untrusted local users have filesystem access to shared temporary directories, or where the VIRTUALENV_OVERRIDE_APP_DATA environment variable points to a user-writable location. Exploitation scenarios include cache poisoning through corruption of virtualenv-managed application data, and potential manipulation of lock files used during virtual environment creation. The issue was documented in the virtualenv project's GitHub issue tracker with CVE tracking designation CVE-2026-22702.

Users running virtualenv on shared or multi-user systems face the highest risk, particularly in environments where filesystem permissions allow local users to write to directories used by other accounts. The recommended mitigation involves ensuring that directories used by virtualenv are not writable by untrusted parties, and that shared temporary directories have appropriate access controls. The fix is available in version 20.36.1, though the source documentation notes internal inconsistencies in version tracking that warrant verification against official National Vulnerability Database records.