Vulnerability Description
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/commit/5af6ce3e7b643a30a02d22245c1e3f4a8bc0a1f
- https://github.com/python/cpython/commit/bcdf231946b1da8bdfbab4c05539bb0cc964a1c
- https://github.com/python/cpython/commit/cf59bf76470f3d75ad47d80ffb8ce76b64b5e94
- https://github.com/python/cpython/commit/d786d59a8f7196bb630100a869f28ad13436b59
- https://github.com/python/cpython/issues/146121
- https://github.com/python/cpython/pull/146122
- https://mail.python.org/archives/list/[email protected]/thread/WYLLVQ
FAQ
What is CVE-2026-3479?
CVE-2026-3479 is a documented vulnerability. DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. T...
How severe is CVE-2026-3479?
CVSS scoring is not yet available for CVE-2026-3479. Check NVD for updates.
Is there a patch for CVE-2026-3479?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.