Which versions of microtar are affected by EUVD-2026-33741?

microtar library (versions through 0.1.0) contains a remote code execution vulnerability in TAR archive parsing that enables attackers to execute arbitrary code by submitting malicious files.

Is there a public PoC exploit available for EUVD-2026-33741?

Yes, a public proof-of-concept exploit is available for EUVD-2026-33741. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-33741?

Within 24 hours: Inventory all applications and services using microtar; isolate affected systems from sensitive networks and external file inputs. Within 7 days: Implement strict input validation (reject oversized TAR files, disable hard links/symlinks, verify file origins); evaluate migration to patched alternatives (libtar, libbsdtar, bsdtar). Within 30 days: Execute migration plan away from microtar or establish permanent compensating controls; establish process to immediately apply vendor patch upon release.

microtar EUVD-2026-33741

Q: What is the CVSS score of EUVD-2026-33741?

EUVD-2026-33741 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-43623 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-06-01 VulnCheck

GHSA-mwwm-v74q-mvh9

Buffer Overflow Stack Overflow Microtar

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Jun 01, 2026 - 19:25 vuln.today

CVSS changed

Jun 01, 2026 - 19:22 NVD

8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw_to_header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar_open(), mtar_find(), or mtar_read_header() process attacker-supplied TAR archives.

AnalysisAI

Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Craft TAR with unterminated name field

Delivery

Deliver archive to victim application

Exploit

Victim opens or unpacks archive

Install

strcpy overflows stack buffer in raw_to_header

Overwrite saved return address

Execute

Hijack control flow

Impact

Execute attacker code in host process