Description
Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.
Published: 2026-05-26
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Archive::Tar modules before version 3.08 contain a misuse of symlink validation that corresponds to CWE-22 (Path Traversal) and CWE-59 (Improper Handling of Symbolic Links). The internal routine _make_special_file() forwards the linkname from a tar header directly to symlink() without checking whether it is absolute or contains directory‐separating components. An attacker can therefore craft a tar archive that creates a symbolic link pointing to any location on the file system, including files outside the extraction directory. Subsequent open or write operations performed on the extracted pathname will access the attacker chosen target, allowing arbitrary file read or overwrite on the host system.

Affected Systems

The vulnerability affects the Perl Archive::Tar module distributed by the BINGOS vendor. All releases prior to 3.08 – for example 3.07 and earlier – are susceptible. Updating to version 3.08 or later removes the flaw.

Risk and Exploitability

The CVSS score of 9.1 highlights a critical severity, but the EPSS score of less than 1% suggests that exploitation attempts are unlikely to occur at this time. The issue is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a malicious tar archive and trigger extraction; the impact is confined to the privileges under which the extraction process runs. If the process runs with elevated rights, the attacker can overwrite system files or read privileged data. In contexts where tar extraction is performed on untrusted inputs—such as in web applications or file import utilities—the risk becomes more pronounced if sufficient privileges exist.

Generated by OpenCVE AI on June 3, 2026 at 13:51 UTC.

Remediation

Vendor Solution

Upgrade to Archive::Tar 3.08 or later.

OpenCVE Recommended Actions

  • Upgrade Archive::Tar to 3.08 or later.
  • Run tar extraction in a restricted, non‑privileged environment or sandbox to limit the damage if an attacker-controlled archive is processed.
  • Validate symlink targets before creation, ensuring they resolve within the extraction directory and rejecting any absolute or path‑traversal entries.

Generated by OpenCVE AI on June 3, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Archive\
Archive\ \
CPEs cpe:2.3:a:archive\:\:tar_project:archive\:\:tar:*:*:*:*:*:perl:*:*
Vendors & Products Archive\
Archive\ \
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bingos
Bingos archive::tar
Vendors & Products Bingos
Bingos archive::tar

Tue, 26 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.
Title Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory
Weaknesses CWE-59
References

Subscriptions

Archive\ \
Bingos Archive::tar
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-28T13:08:37.326Z

Reserved: 2026-04-27T18:34:48.417Z

Link: CVE-2026-42496

cve-icon Vulnrichment

Updated: 2026-05-28T13:08:22.601Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T02:16:40.130

Modified: 2026-05-28T14:16:20.023

Link: CVE-2026-42496

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-26T00:17:19Z

Links: CVE-2026-42496 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:00:21Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')