{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-68146/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2025-68146"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["TOCTOU","symlink","filelock","CVE-2025-68146","race condition"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an application utilizing the vulnerable filelock library for file locking operations.\u003c/li\u003e\n\u003cli\u003eAttacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application attempts to create a lock file at the expected location.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.\u003c/li\u003e\n\u003cli\u003eThe lock file is created in the attacker-controlled location instead of the intended secure location.\u003c/li\u003e\n\u003cli\u003eThe application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical files and directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:50:36Z","date_published":"2026-04-29T07:50:36Z","id":"/briefs/2024-05-filelock-symlink/","summary":"CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.","title":"CVE-2025-68146 filelock TOCTOU Race Condition Enables Symlink Attacks","url":"https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2025-68146","version":"https://jsonfeed.org/version/1.1"}