[New-bugs-announce] [issue46948] [CVE-2022-26488] Escalation of privilege via Windows Installer

Steve Dower report at bugs.python.org
Mon Mar 7 11:33:18 EST 2022

New submission from Steve Dower <steve.dower at python.org>:

CVE-2022-26488 is an escalation of privilege vulnerability in the Windows installer for the following releases of CPython:

* 3.11.0a6 and earlier
* 3.10.2 and earlier
* 3.9.10 and earlier
* 3.8.12 and earlier
* All end-of-life releases of 3.5, 3.6 and 3.7

The vulnerability exists when installed for all users, and when the "Add Python to PATH" option has been selected. A local user without administrative permissions can trigger a repair operation that adds incorrect additional paths to the system PATH variable, and then use search path hijacking to achieve escalation of privilege. Per-user installs (the default) are also affected, but cannot be used for escalation of privilege.

Besides updating, this vulnerability may be mitigated by modifying an existing install to disable the "Add Python to PATH" or "Add Python to environment variables" option. Manually adding the install directory to PATH is not affected.

Thanks to the Lockheed Martin Red Team for detecting and reporting the issue to the Python Security Response Team.

assignee: steve.dower
components: Windows
messages: 414673
nosy: lukasz.langa, ned.deily, pablogsal, paul.moore, steve.dower, tim.golden, zach.ware
priority: release blocker
severity: normal
stage: needs patch
status: open
title: [CVE-2022-26488] Escalation of privilege via Windows Installer
type: security
versions: Python 3.10, Python 3.11, Python 3.7, Python 3.8, Python 3.9

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list