Python tarfile module: Denial of Service via improper EOF handling in streaming mode
Summary
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer. A flaw was found in the Python `tarfile` module. When processing a specially crafted tar archive opened in 'streaming mode' (mode='r|'), the module does not properly handle the end-of-file (EOF) condition. This can cause the `tarfile` module to enter an infinite loop, leading to a Denial of Service (DoS) for applications processing such archives. A flaw was found in the Python tarfile module. When processing a tar archive in streaming mode (mode='r|'), the _Stream.seek function does not properly check for end-of-file, which can cause an infinite loop when processing a specially crafted archive. Red Hat ships Python as part of many products, and applications using tarfile's streaming mode are potentially affected by this denial of service vulnerability. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-835. Fixed by RHSA-2026:35806, RHSA-2026:35807, RHSA-2026:35812, RHSA-2026:35813 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- python3-11-main-3.11.15-4.4.hum1
- python3-14-main-3.14.6-1.2.hum1
- python3-13-main-3.13.14-1.2.hum1
- python3-12-main-3.12.13-3.3.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- python3-14-main-3.14.6-1.2.hum1
- python3-11-main-3.11.15-4.4.hum1
- python3-13-main-3.13.14-1.2.hum1
- python3-12-main-3.12.13-3.3.hum1
- RHSA-2026:35806
- RHSA-2026:35807
- RHSA-2026:35812
- RHSA-2026:35813
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Avoid using tarfile streaming mode (mode='r|') with untrusted tar archives. Use the standard file-based mode (mode='r') instead where possible.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.