CVE-2026-12003: CWE-427 in Python Software Foundation CPython
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
AI Analysis
Technical Summary
The vulnerability CVE-2026-12003 in CPython arises from the use of the VPATH variable during builds to locate the Modules/setup.local landmark. On Windows, the legacy installer writes builds to 'PCbuild/' with VPATH set to '..\\..', causing the landmark to be outside the Python install directory. This allows a low-privilege user to create the landmark and an alternative Lib folder that Python will load, potentially escalating privileges by modifying the sys.path. This behavior is due to Python assuming it is running in a source tree when the landmark is found relative to VPATH. The issue primarily affects legacy all-user installs on Windows where directory permissions allow such tampering. The fallback landmark detection will be removed in future releases, requiring the presence of a more specific landmark file (pybuilddir.txt) to avoid this issue. The vulnerability affects CPython versions before 3.15.0.
Potential Impact
A low-privilege user on Windows systems with legacy all-user Python installs can create or modify files outside the intended Python install directory, potentially causing Python to load malicious code by altering the sys.path. This can lead to privilege escalation or unauthorized code execution within the context of the Python interpreter. The impact is limited to affected versions and specific Windows installation scenarios where directory permissions allow such tampering.
Mitigation Recommendations
The vendor recommends migrating away from the legacy all-user installer on Windows to the new Python install manager, which installs Python per user and restricts modification by other users, effectively mitigating the risk. For legacy installs, alternative mitigations include preemptively creating and restricting access to the 'Modules' directory two levels above the Python installation directory to prevent unauthorized creation of the landmark. Only CPython versions 3.13 and 3.14 will receive updated legacy installers addressing this issue; earlier versions receive fixes only in source form. Future Python releases will remove the fallback landmark detection, requiring the presence of the pybuilddir.txt file to avoid this vulnerability. Patch status is not yet confirmed for all affected versions; check the vendor advisory for current remediation guidance.
CVE-2026-12003: CWE-427 in Python Software Foundation CPython
Description
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer.
CVSS v4.0
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-12003 in CPython arises from the use of the VPATH variable during builds to locate the Modules/setup.local landmark. On Windows, the legacy installer writes builds to 'PCbuild/' with VPATH set to '..\\..', causing the landmark to be outside the Python install directory. This allows a low-privilege user to create the landmark and an alternative Lib folder that Python will load, potentially escalating privileges by modifying the sys.path. This behavior is due to Python assuming it is running in a source tree when the landmark is found relative to VPATH. The issue primarily affects legacy all-user installs on Windows where directory permissions allow such tampering. The fallback landmark detection will be removed in future releases, requiring the presence of a more specific landmark file (pybuilddir.txt) to avoid this issue. The vulnerability affects CPython versions before 3.15.0.
Potential Impact
A low-privilege user on Windows systems with legacy all-user Python installs can create or modify files outside the intended Python install directory, potentially causing Python to load malicious code by altering the sys.path. This can lead to privilege escalation or unauthorized code execution within the context of the Python interpreter. The impact is limited to affected versions and specific Windows installation scenarios where directory permissions allow such tampering.
Mitigation Recommendations
The vendor recommends migrating away from the legacy all-user installer on Windows to the new Python install manager, which installs Python per user and restricts modification by other users, effectively mitigating the risk. For legacy installs, alternative mitigations include preemptively creating and restricting access to the 'Modules' directory two levels above the Python installation directory to prevent unauthorized creation of the landmark. Only CPython versions 3.13 and 3.14 will receive updated legacy installers addressing this issue; earlier versions receive fixes only in source form. Future Python releases will remove the fallback landmark detection, requiring the presence of the pybuilddir.txt file to avoid this vulnerability. Patch status is not yet confirmed for all affected versions; check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- PSF
- Date Reserved
- 2026-06-11T17:05:37.519Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3196620b89be688808a441
Added to database: 6/16/2026, 6:30:58 PM
Last enriched: 6/16/2026, 6:46:19 PM
Last updated: 6/17/2026, 4:30:43 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.