Description
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
Published: 2026-06-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the raw_to_header() function of rxi microtar 0.1.0. The function copies the 100‑byte name and linkname fields of a TAR header with strcpy() without ensuring the source is null‑terminated, a flaw characterized by CWE‑121 and CWE‑170. In the POSIX ustar format the fixed‑width fields may be fully populated with non‑null bytes. A crafted archive whose linkname field, followed by the padding of the 512‑byte raw header, contains no null terminator causes strcpy() to read past the end of the stack buffer and write past the destination buffer. The CVE description states that a remote attacker who supplies such a crafted TAR archive that the victim opens or parses via mtar_open, mtar_read_header, or mtar_find can trigger an out‑of‑bounds read and a stack buffer overflow, resulting in denial of service and potentially arbitrary code execution.

Affected Systems

The vulnerability affects all instances of rxi microtar version 0.1.0. No other affected versions are listed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the processing of a malicious TAR archive; any application that uses mtar_* functions to open or read TAR files is a potential vector. Exploitation can be achieved by providing a specially crafted archive that lacks a null terminator in the relevant fields, which triggers the overflow and gives the attacker the possibility of arbitrary code execution or a crash. The absence of a publicly released fix further increases the risk of exploitation in the wild.

Generated by OpenCVE AI on June 18, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether rxi has released an updated version of microtar that resolves the raw_to_header buffer overflow by checking the official repository or issue tracker.
  • If no update is available, modify the raw_to_header function to use strncpy with a fixed length and explicitly null‑terminate the destination buffer, preventing overflow.
  • Validate any TAR archives processed locally to ensure that their name or linkname fields are null‑terminated before invoking mtar_* functions, or reject archives that do not conform to this requirement.

Generated by OpenCVE AI on June 18, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Rxi
Rxi microtar
Vendors & Products Rxi
Rxi microtar
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
Title Stack Buffer Overflow in rxi/microtar raw_to_header() via non-null-terminated TAR name field
Weaknesses CWE-121
CWE-170
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-17T15:00:58.607Z

Reserved: 2026-06-17T12:59:17.620Z

Link: CVE-2026-55738

cve-icon Vulnrichment

Updated: 2026-06-17T15:00:54.933Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow

  • CWE-170

    Improper Null Termination