{"id":"PSF-2026-28","details":"To allow builds of Python to be run from an in-tree layout (rather than\nan installed file layout), the VPATH variable is defined at build time\nand used to locate certain landmarks - specifically,\nModules/setup.local. When this landmark is found relative to VPATH\nrelative to the executable, Python assumes it is running in a source\ntree and generates a different default sys.path. This code remains in\nrelease builds, so that release-ready builds can be built in-tree.\n\nOn Windows, since builds are written to 'PCbuild/', the value of\nVPATH is set to '..\\..', which results in a landmark of\n'..\\..\\Modules\\setup.local'. This path is outside the install directory\nof Python, and may have different permissions, potentially allowing a\nlow-privilege user to create the landmark and an alternative `Lib`\nfolder that will be discovered by an otherwise restricted install.\n\nSuch a setup occurs with the legacy default install location for all\nusers (in the now superseded EXE installer), due to how Windows allows\nall users to create folders in the root directory of their OS drive.\n\nOur recommended mitigation on Windows is to migrate away from the\nlegacy installer and use the new [Python install\nmanager](https://www.python.org/downloads/latest/pymanager/) to install\nfor the current user. Installs where the directory two levels above the\nPython installation directory have equivalent permissions are unaffected\n(in general, a per-user install cannot be modified at all by other\nusers, removing any escalation of privilege risk, and could be directly\nmodified by a privileged user, making the potential tampering\nirrelevant). Alternative mitigations might include preemptively creating\nand restricting access to a `Modules` directory. Be aware that only 3.13\nand 3.14 will receive updated legacy installers - earlier fixes are only\nprovided as sources.\n\nPlatforms other than Windows allow VPATH to be overridden, but as they\ndon't usually use a separated directory in the build for binaries, are\nunlikely to have a landmark reference outside of the install directory.\n\nThe landmark detection involving VPATH is a fallback for when a more\nspecific landmark - .\\pybuilddir.txt - is absent, and was included for\ncompatibility. Future releases of Python will no longer include the\nfallback, and so builds will need to generate or preserve the\npybuilddir.txt file in order to work in-tree. This landmark file has\nbeen generated on Windows since 3.11, and on other platforms for longer.","aliases":["BIT-libpython-2026-12003","BIT-python-2026-12003","BIT-python-min-2026-12003","CVE-2026-12003"],"modified":"2026-06-18T10:41:04.676915873Z","published":"2026-06-16T15:18:42.998Z","database_specific":{"cwe_ids":[]},"references":[{"type":"WEB","url":"https://github.com/python/cpython/pull/151545"},{"type":"REPORT","url":"https://github.com/python/cpython/issues/151544"},{"type":"ADVISORY","url":"https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"}]}],"versions":["v3.13.14","v3.14.6","v3.15.0b2","v3.14.5","v3.15.0b1","v3.14.5rc1","v3.13.13","v3.14.4","v3.15.0a8","v3.15.0a7","v3.12.13","v3.10.20","v3.11.15","v3.15.0a6","v3.13.12","v3.14.3","v3.15.0a5","v3.15.0a4","v3.15.0a3","v3.14.2","v3.13.11","v3.13.10","v3.14.1","v3.15.0a2","v3.9.25","3.9","v3.13.9","v3.15.0a1","v3.13.8","v3.11.14","v3.10.19","v3.9.24","v3.12.12","v3.14.0","v3.14.0rc3","v3.13.7","v3.14.0rc2","v3.13.6","v3.14.0rc1","v3.14.0b4","v3.14.0b3","v3.13.5","v3.13.4","v3.11.13","v3.9.23","v3.10.18","v3.12.11","v3.14.0b2","v3.14.0b1","v3.9.22","v3.13.3","v3.11.12","v3.12.10","v3.14.0a7","v3.10.17","v3.14.0a6","v3.14.0a5","v3.13.2","v3.12.9","v3.14.0a4","v3.14.0a3","v3.13.1","v3.12.8","v3.10.16","v3.11.11","v3.9.21","v3.14.0a2","v3.14.0a1","v3.13.0","v3.13.0rc3","v3.12.7","v3.11.10","v3.10.15","v3.13.0rc2","v3.12.6","v3.8.20","3.8","v3.9.20","v3.12.5","v3.13.0rc1","v3.13.0b4","v3.13.0b3","v3.12.4","v3.13.0b2","v3.13.0b1","v3.13.0a6","v3.12.3","v3.11.9","v3.10.14","v3.8.19","v3.9.19","v3.13.0a5","v3.13.0a4","v3.12.2","v3.11.8","v3.13.0a3","v3.12.1","v3.11.7","v3.13.0a2","v3.13.0a1","v3.11.6","v3.12.0","v3.12.0rc3","v3.12.0rc2","v3.8.18","v3.11.5","v3.9.18","v3.10.13","v3.12.0rc1","v3.12.0b4","3.7","v3.12.0b3","v3.11.4","v3.10.12","v3.12.0b2","v3.7.17","v3.8.17","v3.9.17","v3.12.0b1","v3.10.11","v3.11.3","v3.12.0a7","v3.12.0a6","v3.10.10","v3.11.2","v3.12.0a5","v3.12.0a4","v3.12.0a3","v3.10.9","v3.11.1","v3.7.16","v3.8.16","v3.9.16","v3.12.0a2","v3.12.0a1","v3.11.0","v3.11.0rc2","v3.8.15","v3.10.8","v3.9.15","v3.7.15","v3.7.14","v3.8.14","v3.9.14","v3.10.7","v3.11.0rc1","v3.10.6","v3.11.0b5","v3.11.0b4","v3.10.5","v3.11.0b3","v3.11.0b2","v3.9.13","v3.11.0b1","v3.11.0a7","v3.10.4","v3.9.12","v3.7.13","v3.9.11","v3.10.3","v3.8.13","v3.11.0a6","v3.11.0a5","v3.9.10","v3.11.0a4","v3.10.2","3.6","v3.11.0a3","v3.10.1","v3.9.9","v3.11.0a2","v3.9.8","v3.11.0a1","v3.10.0","v3.10.0rc2","v3.7.12","v3.6.15","v3.9.7","v3.8.12","v3.10.0rc1","v3.10.0b4","v3.6.14","v3.7.11","v3.8.11","v3.9.6","v3.10.0b3","v3.10.0b2","v3.10.0b1","v3.9.5","v3.8.10","v3.10.0a7","v3.9.4","v3.9.3","v3.8.9","v3.10.0a6","v3.9.2","v3.8.8","v3.9.2rc1","v3.8.8rc1","v3.6.13","v3.7.10","v3.10.0a5","v3.10.0a4","v3.8.7","v3.10.0a3","v3.9.1","v3.8.7rc1","v3.9.1rc1","v3.10.0a2","v3.10.0a1","v3.9.0","v3.8.6","v3.9.0rc2","v3.8.6rc1","3.5","v3.5.10","v3.5.10rc1","v3.6.12","v3.7.9","v3.9.0rc1","v3.9.0b5","v3.8.5","v3.8.4","v3.9.0b4","v3.8.4rc1","v3.7.8","v3.6.11","v3.6.11rc1","v3.7.8rc1","v3.9.0b3","v3.9.0b2","v3.9.0b1","v3.8.3","v3.8.3rc1","v3.9.0a6","v2.7.18","2.7","v2.7.18rc1","v3.9.0a5","v3.7.7","v3.7.7rc1","v3.9.0a4","v3.8.2","v3.8.2rc2","v3.8.2rc1","v3.9.0a3","v3.9.0a2","v3.8.1","v3.7.6","v3.6.10","v3.6.10rc1","v3.7.6rc1","v3.8.1rc1","v3.9.0a1","v3.5.9","v3.5.8","v2.7.17","v3.7.5","v3.8.0","v3.5.8rc2","v3.5.8rc1","v2.7.17rc1","v3.7.5rc1","v3.8.0rc1","v3.8.0b4","v3.8.0b3","v3.7.4","v3.7.4rc2","v3.8.0b2","v3.6.9","v3.7.4rc1","v3.6.9rc1","v3.8.0b1","3.4","v3.4.10","v3.8.0a4","v3.8.0a3","v3.7.3","v3.7.3rc1","v3.5.7","v3.5.7rc1","v3.4.10rc1","v2.7.16","v3.8.0a2","v2.7.16rc1","v3.8.0a1","v3.7.2","v3.6.8","v3.7.2rc1","v3.6.8rc1","v3.7.1","v3.6.7","v3.6.7rc2","v3.7.1rc2","v3.7.1rc1","v3.6.7rc1","v3.5.6","v3.4.9","v3.5.6rc1","v3.4.9rc1","v3.7.0","v3.6.6","v3.7.0rc1","v3.6.6rc1","v3.7.0b5","v3.7.0b4","v2.7.15","v2.7.15rc1","v3.7.0b3","v3.6.5","v3.6.5rc1","v3.7.0b2","v3.5.5","v3.4.8","v3.5.5rc1","v3.4.8rc1","v3.7.0b1","v3.7.0a4","v3.6.4","v3.6.4rc1","v3.7.0a3","v3.7.0a2","v3.6.3","v3.6.3rc1","3.3","v3.3.7","v3.7.0a1","v2.7.14","v3.3.7rc1","v2.7.14rc1","v3.4.7","v3.5.4","v3.5.4rc1","v3.4.7rc1","v3.6.2","v3.6.2rc2","v3.6.2rc1","v3.6.1","v3.6.1rc1","v3.4.6","v3.5.3","v3.5.3rc1","v3.4.6rc1","v3.6.0","v3.6.0rc2","v2.7.13","v3.6.0rc1","v2.7.13rc1","v3.6.0b4","v3.6.0b3","v3.6.0b2","v3.6.0b1","v3.6.0a4","3.2","v3.6.0a3","v3.4.5","v3.5.2","v2.7.12","v3.6.0a2","v3.4.5rc1","v3.5.2rc1","v2.7.12rc1","v3.6.0a1","v3.4.4","v3.4.4rc1","v3.5.1","v2.7.11","v3.5.1rc1","v2.7.11rc1","v3.5.0","v3.5.0rc4","v3.5.0rc3","v3.5.0rc2","v3.5.0rc1","v3.5.0b4","v3.5.0b3","v3.5.0b2","v3.5.0b1","v2.7.10","v2.7.10rc1","v3.5.0a4","v3.5.0a3","v3.5.0a2","v3.4.3","v3.5.0a1","v3.4.3rc1","v2.7.9","v2.7.9rc1","2.6","3.1","v3.3.6","v3.2.6","v3.4.2","v3.3.6rc1","v3.2.6rc1","v3.4.2rc1","v2.7.8","v2.7.7","v3.4.1","v2.7.7rc1","v3.4.1rc1","v3.4.0","v3.4.0rc3","v3.3.5","v3.3.5rc2","v3.4.0rc2","v3.3.5rc1","v3.4.0rc1","v3.3.4","v3.3.4rc1","v3.4.0b3","v3.4.0b2","v3.4.0b1","v3.3.3","v3.3.3rc2","v2.7.6","v2.6.9","v3.3.3rc1","v2.7.6rc1","v3.4.0a4","v2.6.9rc1","v3.4.0a3","v3.4.0a2","v3.4.0a1","v3.3.2","v3.2.5","v2.7.5","v2.7.4","v3.3.1","v3.2.4","v3.3.1rc1","v3.2.4rc1","v2.7.4rc1","v3.3.0","v3.3.0rc3","v3.3.0rc2","v3.3.0rc1","v3.3.0b2","v3.3.0b1","v3.3.0a4","v3.3.0a3","v3.2.3","v2.6.8","v2.7.3","v3.1.5","v3.3.0a2","v3.2.3rc2","v2.6.8rc2","v3.1.5rc2","v2.7.3rc2","v3.3.0a1","v3.2.3rc1","v2.6.8rc1","v2.7.3rc1","v3.1.5rc1","2.5","v3.2.2","v3.2.2rc1","v3.2.1","v3.2.1rc2","v3.1.4","v2.7.2","v2.6.7","v2.7.2rc1","v3.1.4rc1","v2.5.6c1","v2.5.6","v3.2.1rc1","v3.2.1b1","3.0","legacy-trunk","v2.7","2.4","2.3","2.2","2.1","2.0","v2.0.1","v3.2","v3.2rc3","v3.2rc2","v3.2rc1","v3.2b2","v3.2b1","v3.1.3","v2.7.1","v2.7.1rc1","v3.1.3rc1","v3.2a4","v3.2a3","v3.2a2","v2.6.6","v2.6.6rc2","v2.6.6rc1","v3.2a1","v2.7rc2","v2.7rc1","v2.7b2","v2.7b1","v3.1.2","v2.6.5","v2.6.5rc2","v3.1.2rc1","v2.7a4","v2.6.5rc1","v2.7a3","v2.5.5","v2.5.5c2","v2.5.5c1","v2.7a2","v2.7a1","v2.6.4","v2.6.4rc2","v2.6.4rc1","v2.6.3","v2.6.3rc1","v3.1.1","v3.1.1rc1","v3.1","v3.1rc2","v3.1rc1","v3.1b1","v2.6.2","v2.6.2c1","v3.1a2","v3.1a1","v3.0.1","v2.5.4","v2.5.3","v2.4.6","v2.5.3c1","v2.4.6c1","v2.6.1","v3.0","v3.0rc3","v3.0rc2","v2.6","v2.6rc2","v3.0rc1","v2.6rc1","v3.0b3","v2.6b3","v2.6b2","v3.0b2","v2.6b1","v3.0b1","v2.6a3","v3.0a5","v2.6a2","v3.0a4","v2.4.5","v2.3.7","v2.3.7c1","v2.4.5c1","v3.0a3","v2.6a1","v2.5.2","v2.5.2c1","v3.0a2","v3.0a1","v2.5.1","v2.5.1c1","v2.3.6","v2.3.6c1","v2.4.4","v2.4.4c1","v2.5","v2.5c2","v2.5c1","v2.5b3","v2.5b2","v2.5b1","v2.5a2","v2.5a1","v2.5a0","v2.4.3","v2.4.3c1","v2.4.2","v2.4.2c1","v2.4.1","v2.3.5","v2.4.1c2","v2.4.1c1","v2.3.5c1","v2.4","v2.4c1","v2.4b2","v2.4b1","v2.4a3","v2.4a2","v2.4a1","v2.3.4","v2.3.4c1","v2.3.3","v2.3.3c1","v2.3.2","v2.3.2c1","v2.3.1","v2.3c2","v2.3c1","v2.2.3","v2.2.3c1","v2.2.2","v2.2.2b1","v2.1.3","v2.2.1","v2.2","v2.2.1c2","v2.2.1c1","v2.1.2","v2.1.2c1","v2.2a3","v2.1.1","v2.1.1c1","v2.0.1c1","v2.1","v2.1c2","v2.1c1","v2.1b2","v2.1b1","v2.1a2","v2.1a1","v2.0","v2.0c1","v2.0b2","v2.0b1","v1.6a2","v1.6a1","v1.5.2","v1.5.2c1","v1.5.2b2","v1.5.2b1","v1.5.2a2","v1.5.2a1","v1.5.1","v1.5","v1.5b2","v1.5b1","v1.5a4","v1.5a3","v1.5a2","v1.5a1","v1.4","v1.4b3","v1.4b2","v1.4b1","v1.3","v1.3b1","v1.2","v1.2b4","v1.2b3","v1.2b2","v1.2b1","v1.1.1","v1.1","v1.0.2","v1.0.1","v0.9.9","v0.9.8"],"database_specific":{"source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2026-28.json"}}],"schema_version":"1.7.5"}