rxi microtar CVE-2026-55738
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Library parses an attacker-supplied file the victim must open (UI:R, PR:N); vector is realistically local file parsing (AV:L), and stack overflow can yield full C/I/A impact.
Primary rating from Vendor (TuranSec).
CVSS VectorVendor: TuranSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
AnalysisAI
Stack-based buffer overflow in rxi microtar 0.1.0 allows remote attackers to crash or potentially execute arbitrary code in applications that parse attacker-supplied TAR archives. The flaw lies in raw_to_header() (src/microtar.c:112), which uses strcpy() on fixed-width 100-byte ustar name/linkname fields that are not guaranteed to be null-terminated, enabling a 356-byte out-of-bounds read confirmed via AddressSanitizer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim application built against rxi microtar 0.1.0 invoke mtar_open(), mtar_read_header(), or mtar_find() on an attacker-supplied TAR archive whose 100-byte linkname field and the following padding inside the 512-byte ustar header are fully populated with non-null bytes (no NUL terminator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects a network-reachable, unauthenticated, low-complexity vector requiring user interaction (the victim must open or parse the malicious archive), with high impact across confidentiality, integrity, and availability assuming arbitrary code execution is achievable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a TAR archive whose linkname field and the surrounding 512-byte header padding contain no NUL byte, then delivers it to a victim via email attachment, web upload, package download, or a network service that consumes archives. When the victim's application calls mtar_open(), mtar_read_header(), or mtar_find() on the file, raw_to_header()'s strcpy() reads past the 512-byte raw header and overflows the destination header on the stack, crashing the process or - given a sufficiently weak target binary - overwriting a return address to redirect execution. |
| Remediation | No vendor-released patch identified at time of analysis; the only references provided are the upstream source files (https://github.com/rxi/microtar and https://github.com/rxi/microtar/blob/master/src/microtar.c#L111), with no tagged release or PR cited as a fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using rxi microtar 0.1.0, particularly those processing untrusted TAR files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially ac
Denial of service in rxi microtar 0.1.0 allows remote attackers to hang any consumer of the library at 100% CPU by suppl
Same weakness CWE-121 – Stack-based Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today