CVE-2026-0864

Description

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

Passive

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

Python Software Foundation / CPython0 – 3.15.0

References

PATCHhttps://github.com/python/cpython/pull/151559
MISChttps://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/
MISChttps://github.com/python/cpython/issues/143927
PATCHhttps://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f
PATCHhttps://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528
PATCHhttps://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98
PATCHhttps://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8