CVE-2026-12003

*** Pendiente de traducción *** To allow builds of Python to be run from an in-tree layout (rather than<br /> an installed file layout), the VPATH variable is defined at build time<br /> and used to locate certain landmarks - specifically,<br /> Modules/setup.local. When this landmark is found relative to VPATH<br /> relative to the executable, Python assumes it is running in a source<br /> tree and generates a different default sys.path. This code remains in<br /> release builds, so that release-ready builds can be built in-tree.<br /> <br /> On Windows, since builds are written to &amp;#39;PCbuild/&amp;#39;, the value of<br /> VPATH is set to &amp;#39;..\..&amp;#39;, which results in a landmark of<br /> &amp;#39;..\..\Modules\setup.local&amp;#39;. This path is outside the install directory<br /> of Python, and may have different permissions, potentially allowing a<br /> low-privilege user to create the landmark and an alternative `Lib`<br /> folder that will be discovered by an otherwise restricted install.<br /> <br /> Such a setup occurs with the legacy default install location for all<br /> users (in the now superseded EXE installer), due to how Windows allows<br /> all users to create folders in the root directory of their OS drive.<br /> <br /> Our recommended mitigation on Windows is to migrate away from the<br /> legacy installer and use the new [Python install<br /> manager](https://www.python.org/downloads/latest/pymanager/) to install<br /> for the current user. Installs where the directory two levels above the<br /> Python installation directory have equivalent permissions are unaffected<br /> (in general, a per-user install cannot be modified at all by other<br /> users, removing any escalation of privilege risk, and could be directly<br /> modified by a privileged user, making the potential tampering<br /> irrelevant). Alternative mitigations might include preemptively creating<br /> and restricting access to a `Modules` directory. Be aware that only 3.13<br /> and 3.14 will receive updated legacy installers - earlier fixes are only<br /> provided as sources.<br /> <br /> Platforms other than Windows allow VPATH to be overridden, but as they<br /> don&amp;#39;t usually use a separated directory in the build for binaries, are<br /> unlikely to have a landmark reference outside of the install directory.<br /> <br /> The landmark detection involving VPATH is a fallback for when a more<br /> specific landmark - .\pybuilddir.txt - is absent, and was included for<br /> compatibility. Future releases of Python will no longer include the<br /> fallback, and so builds will need to generate or preserve the<br /> pybuilddir.txt file in order to work in-tree. This landmark file has<br /> been generated on Windows since 3.11, and on other platforms for longer.