Skip to main content

Archive::Tar EUVDEUVD-2026-31777

| CVE-2026-42497 HIGH
Improper Link Resolution Before File Access (CWE-59)
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
May 27, 2026 - 19:38 vuln.today
Analysis Generated
May 27, 2026 - 19:38 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
7.5 (HIGH)
Patch available
May 26, 2026 - 03:01 EUVD
CVE Published
May 26, 2026 - 00:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.

Technical ContextAI

Archive::Tar is a pure-Perl library (CPAN distribution, CPE cpe:2.3:a:archive\:\:tar_project:archive\:\:tar) widely used to read and write tar archives, including in automated pipelines that ingest untrusted archives. The flaw is a CWE-59 Improper Link Resolution ('Link Following') issue: during extraction in _make_special_file, the library created hardlink (and the related symlink) entries using the linkname supplied by the archive without validating it. The fixed commit (17c873492a05) adds checks under the default SECURE EXTRACT MODE that reject link targets that are absolute paths or that contain '..' traversal components. The hardlink case is particularly dangerous because, as the patch comment notes, the extraction process itself chmods the shared inode, so creating a hardlink to a file outside the extraction tree lets the archive change that external file's permissions.

RemediationAI

Upgrade Archive::Tar to version 3.08 or later (Vendor-released patch: 3.08), which restores SECURE EXTRACT MODE checks that reject hardlink and symlink targets with absolute paths or '..' traversal; the fix is in commit https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158 and documented at https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes. On systems that ship Archive::Tar with Perl core, update the OS/vendor package (see Debian tracking) rather than only the standalone CPAN module. Until patched, do not enable $Archive::Tar::INSECURE_EXTRACT_MODE (it bypasses the link checks), and treat untrusted archives defensively: extract only into a dedicated throwaway/sandboxed directory that contains no sensitive files and is isolated from system paths (trade-off: requires reworking extraction workflows), or pre-screen archive entries and reject any hardlink/symlink whose linkname is absolute or contains '..' before extraction (trade-off: custom validation code must stay in sync with edge cases the library now handles).

Vendor StatusVendor

Debian

perl
Release Status Fixed Version Urgency
bullseye vulnerable 5.32.1-4+deb11u3 -
bullseye (security) vulnerable 5.32.1-4+deb11u5 -
bookworm vulnerable 5.36.0-7+deb12u3 -
bookworm (security) vulnerable 5.36.0-7+deb12u2 -
trixie vulnerable 5.40.1-6 -
forky, sid vulnerable 5.40.1-7 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-31777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy