Description
Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.
Published: 2026-05-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Archive::Tar versions before 3.08 can extract symbolic links that point to arbitrary locations outside the destination directory. The code passes the tar header’s linkname to symlink() without validating absolute paths or traversal components. If an attacker supplies a crafted tar archive, the symlink will be created, and subsequent file operations on the extracted name can read or overwrite the attacker‑chosen file. This flaw enables an attacker to read sensitive files or corrupt data on the host, potentially allowing further exploitation.

Affected Systems

The affected component is the Perl module Archive::Tar supplied by the BINGOS vendor. All versions prior to 3.08 are vulnerable; affected releases include 3.07 and earlier.

Risk and Exploitability

No CVSS score or EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation. The flaw is local; it requires an attacker to supply a malicious tar archive and trigger extraction, typically from an untrusted source. If extraction occurs with elevated privileges, the attacker can use the symlink to overwrite critical files or gain read access to sensitive data. The lack of automated exploitation reports suggests the risk remains theoretical until an attacker demonstrates the attack, but the impact could be severe if used.

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Remediation

Vendor Solution

Upgrade to Archive::Tar 3.08 or later.

OpenCVE Recommended Actions

  • Upgrade to Archive::Tar 3.08 or later.
  • Run archive extraction in a non‑privileged environment or sandbox to limit impact.
  • Validate symlink targets before extraction, rejecting those that point outside the intended directory.

Generated by OpenCVE AI on May 26, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bingos
Bingos archive::tar
Vendors & Products Bingos
Bingos archive::tar

Tue, 26 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.
Title Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory
Weaknesses CWE-59
References

Subscriptions

Bingos Archive::tar
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-26T00:17:19.110Z

Reserved: 2026-04-27T18:34:48.417Z

Link: CVE-2026-42496

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T02:16:40.130

Modified: 2026-05-26T02:16:40.130

Link: CVE-2026-42496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T12:59:48Z

Weaknesses