Skip to main content

rxi microtar CVE-2026-54417

HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-17 TuranSec
7.5
CVSS 3.1 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Trigger is a single crafted archive with no auth or interaction when the consuming app accepts network input; impact is CPU-exhaustion DoS only, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:27 vuln.today

DescriptionCVE.org

An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.

AnalysisAI

Denial of service in rxi microtar 0.1.0 allows remote attackers to hang any consumer of the library at 100% CPU by supplying a crafted tar archive whose header size field triggers a 32-bit integer overflow in mtar_next(). The flaw affects every application that parses untrusted tar streams with this lightweight C library, and no public exploit is identified at time of analysis, though the trigger is trivial to construct from the description alone.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify service consuming tar via microtar
Delivery
Craft tar with header size 0xFFFFFE00
Exploit
Deliver archive over upload/update channel
Install
Victim calls mtar_find or mtar_next
C2
Offset arithmetic wraps to zero
Execute
Parser loops on same record
Impact
CPU pinned at 100%, service hangs

Vulnerability AssessmentAI

Exploitation The target application must (a) link or vendor rxi microtar 0.1.0's src/microtar.c and (b) call mtar_find() or any loop that iterates entries via mtar_next() over an archive whose contents are attacker-controlled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H gives 7.5 (High) and matches reality for the availability dimension - one malformed archive permanently pegs a CPU with no recovery - but the AV:N rating is contingent on the embedding application accepting tar input over the network; for a CLI tool reading local files the practical vector is closer to AV:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads or serves a tar archive whose first (or any) record header sets the size field to 0xFFFFFE00 (or another 512-aligned value in 0xFFFFFC01-0xFFFFFE00); when the target application - a game asset loader, firmware update parser, or backup tool linking microtar - calls mtar_find() or iterates with mtar_next(), the offset arithmetic wraps to zero and the loop spins on the same header forever, pinning a core at 100% CPU. No public exploit is identified at time of analysis, but the description is sufficient to produce a working PoC in a few lines of Python.
Remediation No vendor-released patch identified at time of analysis - the upstream repository at https://github.com/rxi/microtar has not published a tagged fix in the data provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your codebase and dependencies to identify all use of rxi microtar version 0.1.0 or earlier, and determine which applications process untrusted tar inputs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54417 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy