The vulnerability in CPython's tarfile module arises because it applies normalization of AREGTYPE (\x00) blocks to DIRTYPE even when processing multi-block members such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This behavior can lead to a crafted tar archive being interpreted differently by the tarfile module compared to other implementations, potentially causing unexpected behavior when handling such archives. The affected versions include CPython 0, 3.14.0, and 3.15.0a1. The CVSS 4.0 base score is 2.0, indicating low severity, with attack vector local, high attack complexity, and partial impact on integrity and availability.

The impact is limited due to the low CVSS score of 2.0 and the requirement for local access with high attack complexity. The vulnerability may cause the tarfile module to misinterpret crafted tar archives, which could lead to incorrect processing of archive contents. There is no indication of remote exploitation or privilege escalation. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when processing untrusted tar archives with the tarfile module. No specific vendor mitigation or workaround information is currently available.