CVE Catalog

CVE-2026-11972

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

A vulnerability in Python's 'tarfile' module occurs when opening an archive in streaming mode (mode='r|'). The module improperly handles EOF, causing archive parsing to take exponentially longer.

Risk Assessment

An attacker can supply a specially crafted tar archive that, when processed in streaming mode, causes significant slowdown or denial of service in the application.

Recommendation

Update Python to a version containing the fix for CVE-2026-11972. Avoid using streaming mode 'r|' with the tarfile module on untrusted data.

Original NVD description (English source)

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS