Skip to main content

Archive::Tar CVE-2026-42496

| EUVDEUVD-2026-31774 CRITICAL
Improper Link Resolution Before File Access (CWE-59)
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.2 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 27, 2026 - 19:38 vuln.today
Analysis Generated
May 27, 2026 - 19:38 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
9.1 (CRITICAL)
Patch available
May 26, 2026 - 03:01 EUVD
CVE Published
May 26, 2026 - 00:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Symlink-based path traversal in the Perl module Archive::Tar before version 3.08 allows a malicious tar archive to write or point files outside the intended extraction directory. When an application extracts an attacker-supplied archive, symlink entries whose targets are absolute paths or contain '..' traversal sequences are followed without validation, letting an attacker place links that resolve to arbitrary filesystem locations. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the issue is rated CVSS 9.1 because Archive::Tar is widely embedded in automated server-side processing of untrusted archives.

Technical ContextAI

Archive::Tar is a pure-Perl library (CPAN distribution archive-tar-new, releases by BINGOS) for reading and writing tar archives, commonly used by build tooling, package managers, and web services that ingest uploaded archives. The root cause is CWE-59 (Improper Link Resolution Before File Access / Link Following): the _make_special_file routine created symlink (and, in the sibling CVE-2026-42497, hardlink) entries using the linkname stored in the archive without checking whether that target escaped the extraction root. The 3.08 fix (commit 17c8734) adds validation in non-INSECURE_EXTRACT_MODE that rejects link entries whose target is absolute (File::Spec->file_name_is_absolute) or contains a '..' component (File::Spec->splitdir), erroring out instead of extracting. Note the input 'Buffer Overflow' tag is erroneous for this record - that label belongs to the unrelated CVE-2026-8376 Perl regex bug listed in the same oss-security post; CVE-2026-42496 is a link-following flaw, consistent with CWE-59.

RemediationAI

Vendor-released patch: Archive::Tar 3.08 - upgrade the CPAN module to 3.08 or later, or apply your OS vendor's patched package (Debian tracks fixed releases). The upstream fix is commit 17c873492a05eddc0de18c1485e0b2cccd5a9158 (https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch), which enforces target validation in the default secure extract mode. If you cannot upgrade immediately, ensure $Archive::Tar::INSECURE_EXTRACT_MODE is not enabled (it must remain 0/unset), but note that on pre-3.08 versions secure mode alone does NOT block malicious symlink targets, so also extract untrusted archives only inside a sandboxed/throwaway directory on a restricted account, validate or strip symlink and hardlink entries before extraction, and avoid extracting attacker-supplied archives as a privileged user - the trade-off being added processing overhead and rejection of legitimately link-bearing archives. Track the companion hardlink issue CVE-2026-42497, fixed in the same 3.08 release (https://www.cve.org/CVERecord?id=CVE-2026-42497).

Vendor StatusVendor

Debian

perl
Release Status Fixed Version Urgency
bullseye vulnerable 5.32.1-4+deb11u3 -
bullseye (security) vulnerable 5.32.1-4+deb11u5 -
bookworm vulnerable 5.36.0-7+deb12u3 -
bookworm (security) vulnerable 5.36.0-7+deb12u2 -
trixie vulnerable 5.40.1-6 -
forky, sid vulnerable 5.40.1-7 -
(unstable) fixed (unfixed) -

Share

CVE-2026-42496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy