GHSA-8p37-q9qq-hgx8
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Symlink-based path traversal in the Perl module Archive::Tar before version 3.08 allows a malicious tar archive to write or point files outside the intended extraction directory. When an application extracts an attacker-supplied archive, symlink entries whose targets are absolute paths or contain '..' traversal sequences are followed without validation, letting an attacker place links that resolve to arbitrary filesystem locations. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the issue is rated CVSS 9.1 because Archive::Tar is widely embedded in automated server-side processing of untrusted archives.
Technical ContextAI
Archive::Tar is a pure-Perl library (CPAN distribution archive-tar-new, releases by BINGOS) for reading and writing tar archives, commonly used by build tooling, package managers, and web services that ingest uploaded archives. The root cause is CWE-59 (Improper Link Resolution Before File Access / Link Following): the _make_special_file routine created symlink (and, in the sibling CVE-2026-42497, hardlink) entries using the linkname stored in the archive without checking whether that target escaped the extraction root. The 3.08 fix (commit 17c8734) adds validation in non-INSECURE_EXTRACT_MODE that rejects link entries whose target is absolute (File::Spec->file_name_is_absolute) or contains a '..' component (File::Spec->splitdir), erroring out instead of extracting. Note the input 'Buffer Overflow' tag is erroneous for this record - that label belongs to the unrelated CVE-2026-8376 Perl regex bug listed in the same oss-security post; CVE-2026-42496 is a link-following flaw, consistent with CWE-59.
RemediationAI
Vendor-released patch: Archive::Tar 3.08 - upgrade the CPAN module to 3.08 or later, or apply your OS vendor's patched package (Debian tracks fixed releases). The upstream fix is commit 17c873492a05eddc0de18c1485e0b2cccd5a9158 (https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch), which enforces target validation in the default secure extract mode. If you cannot upgrade immediately, ensure $Archive::Tar::INSECURE_EXTRACT_MODE is not enabled (it must remain 0/unset), but note that on pre-3.08 versions secure mode alone does NOT block malicious symlink targets, so also extract untrusted archives only inside a sandboxed/throwaway directory on a restricted account, validate or strip symlink and hardlink entries before extraction, and avoid extracting attacker-supplied archives as a privileged user - the trade-off being added processing overhead and rejection of legitimately link-bearing archives. Track the companion hardlink issue CVE-2026-42497, fixed in the same 3.08 release (https://www.cve.org/CVERecord?id=CVE-2026-42497).
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.32.1-4+deb11u3 | - |
| bullseye (security) | vulnerable | 5.32.1-4+deb11u5 | - |
| bookworm | vulnerable | 5.36.0-7+deb12u3 | - |
| bookworm (security) | vulnerable | 5.36.0-7+deb12u2 | - |
| trixie | vulnerable | 5.40.1-6 | - |
| forky, sid | vulnerable | 5.40.1-7 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31774