CVE-2026-22701 identifies a time-of-check to time-of-use (TOCTOU) race condition vulnerability in the SoftFileLock implementation of the Python filelock package, versions prior to 3.20.3. The vulnerability arises in the _acquire() method, specifically between the permission validation function raise_on_not_writable_file() and the subsequent os.open() call that creates the lock file. During this small race window, an attacker who has local filesystem access and the ability to create symbolic links can introduce a symlink at the lock file path. This causes the lock operation to act on an unintended target file or directory, potentially causing the lock to fail or behave unpredictably. The consequence can be denial of service (DoS) by preventing proper lock acquisition or unintended side effects on files that were not meant to be locked. The vulnerability is categorized under CWE-59 (Improper Link Resolution Before File Access), CWE-362 (Race Condition), and CWE-367 (Time-of-check Time-of-use Race Condition). Exploitation requires local access with permissions to create symlinks, no user interaction is necessary, and the attack complexity is high due to the timing precision needed. The CVSS v3.1 base score is 5.3 (medium severity), reflecting no confidentiality impact, limited integrity impact, but high availability impact. No known exploits in the wild have been reported. The issue was patched in filelock version 3.20.3 by eliminating the race condition in the lock acquisition process.

For European organizations, the primary impact of this vulnerability lies in the potential disruption of applications or services relying on the filelock package for synchronization and concurrency control. Improper locking can lead to race conditions in application logic, data corruption, or denial of service scenarios where critical processes fail to acquire necessary locks. This can affect software development environments, automated build systems, CI/CD pipelines, and any Python-based services that utilize filelock for file synchronization. While confidentiality is not directly impacted, integrity and availability of operations depending on filelock can be compromised. Organizations with internal or shared development environments where users have local access and can create symlinks are at higher risk. The vulnerability could be exploited by malicious insiders or attackers who have gained limited local access. The absence of known exploits reduces immediate risk, but the medium severity score and ease of patching mean organizations should prioritize remediation to avoid potential disruption.

European organizations should immediately upgrade the filelock package to version 3.20.3 or later to eliminate the TOCTOU race condition. For environments where immediate upgrade is not feasible, consider restricting local filesystem permissions to prevent untrusted users from creating symbolic links, especially in directories where lock files are created. Implement monitoring to detect unusual symlink creation or unexpected lock file behavior. Review and harden access controls on development and build servers to limit local access to trusted personnel only. Additionally, consider using alternative locking mechanisms that do not rely on filesystem locks or that have been verified to be free from such race conditions. Incorporate security testing and code review practices to detect similar TOCTOU vulnerabilities in custom synchronization code. Finally, maintain awareness of updates to dependencies and apply security patches promptly.