Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

DEBIAN-CVE-2026-22702

MEDIUM4.5

Published Jan 10, 2026

Modified Yesterday

Fix available

Details

virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.

Affected Packages

Debian:11python-virtualenv

Affected versions:

20.10.0+ds-120.12.1+ds-120.13.0+ds-120.13.0+ds-220.14.0+ds-120.15.0+ds-120.16.3+ds-120.16.3+ds-220.16.3+ds-320.16.3+ds-4+35 more

Debian:12python-virtualenv

Affected versions:

20.17.1+ds-120.19.0+ds-120.21.0+ds-120.23.0+ds-120.23.0+ds-220.24.1+ds-120.24.6+ds-120.24.6+ds-220.25.0+ds-120.25.0+ds-2+17 more

Debian:13python-virtualenv

Affected versions:

20.31.2+ds-120.33.1+ds-120.34.0+ds-120.35.3+ds-120.35.4+ds-120.36.1+ds-1

Debian:14python-virtualenv

Fixed in:

20.36.1+ds-1

References

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-22702

CVSS Analysis

CVSS v3.1

4.5

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

HighAC:H

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Upstream

CVE-2026-22702

Ecosystems

Debian 11 Debian 12 Debian 13 Debian 14

Timeline

PublishedJan 10, 2026

ModifiedJan 13, 2026

DEBIAN-CVE-2026-22702 | Mondoo Vulnerability Intelligence