CVE-2026-42497 - Vulnerability Details

Description

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.

_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.

A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

Published: 2026-05-26

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Archive::Tar module fails to validate the linkname field of tar headers when creating hardlinks. As a result, an attacker can supply a tar archive that contains hardlink entries pointing to absolute paths or directories outside the intended extraction directory. The module then creates a hardlink to the target file and later writes to it during extraction, thereby overwriting or modifying files the attacker should not be able to touch. This flaw allows arbitrary file creation or modification on the victim’s system and, if the process runs with elevated privileges, can lead to privilege escalation. The weakness is a form of path traversal (CWE‑59) combined with improper permissions handling (CWE‑732).

Affected Systems

All versions of the Perl Archive::Tar module from the BINGOS vendor older than 3.08 are affected. The issue was fixed in the 3.08 release and later.

Risk and Exploitability

Because the vulnerability is triggered by supplying a malicious tar file, the attack vector is local extraction by any user who can influence the file fed to Archive::Tar, or remote if the application accepts input from untrusted networks. Exploitation requires the target process to run with write access to the filesystem area targeted by the hardlink. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Despite the lack of a known active exploit, its high impact and the ability to overwrite arbitrary files make it a serious risk, particularly in environments where the extraction routine is executed with elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BINGOS

Archive::Tar

unaffected

Version	Status	Constraints
`0`	affected	< 3.08

No data.

Vendor Product Confidence Versions

Bingos

Archive::tar

100%

Version	Status	Scheme	Platform
`[0,3.08)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to Archive::Tar 3.08 or later.

OpenCVE Recommended Actions

Upgrade the Archive::Tar module to version 3.08 or later.
If an upgrade is not immediately possible, apply the official patch from https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch.
Ensure that tar extraction is performed in a restricted, non-privileged environment and tighten file system permissions to prevent accidental modification of critical files.

Generated by OpenCVE AI on May 26, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch
https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes
https://www.cve.org/CVERecord?id=CVE-2026-42496

History

Tue, 26 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bingos Bingos archive::tar
Vendors & Products		Bingos Bingos archive::tar

Tue, 26 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.
Title		Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory
Weaknesses		CWE-59 CWE-732
References		https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes https://www.cve.org/CVERecord?id=CVE-2026-42496

Subscriptions

Bingos Archive::tar

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-26T00:17:50.656Z

Updated: 2026-05-26T00:17:50.656Z

Reserved: 2026-04-27T18:34:48.417Z

Link: CVE-2026-42497

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T02:16:40.250

Modified: 2026-05-26T02:16:40.250

Link: CVE-2026-42497

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T12:59:47Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object