CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython:
- 3.11.0a6 and earlier
- 3.10.2 and earlier
- 3.9.10 and earlier
- 3.8.12 and earlier
- 3.7.12 and earlier
- All end-of-life releases of 3.5 and 3.6
The vulnerability exists when installed for all users with the "Add Python to PATH" option selected. A local user without administrative permissions can trigger a repair operation of this PATH option to add incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege.
Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected.
Issue: https://bugs.python.org/issue46948 Patches
- main: https://github.com/python/cpython/pull/31726
- 3.10: https://github.com/python/cpython/pull/31727
- 3.9: https://github.com/python/cpython/pull/31728
- 3.8: https://github.com/python/cpython/pull/31729
- 3.7: https://github.com/python/cpython/pull/31730
The next patched releases on python.org will be 3.11.0b1, 3.10.3 and 3.9.11 with installers, and 3.8.13 and 3.7.13 as source code only.
Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team.
Discussion to security-sig@python.org.
Cheers, Steve Dower Python Security Response Team