216.73.216.170

CVE-2026-42497

· Published 26/05/2026 02:16 · Modified 27/05/2026 19:07

Labels: CVE-2026-42497 2026-05-269b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-42497CWE-59

Essential information

Published
26/05/2026 02:16
Modified
27/05/2026 19:07
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS metrics

Description

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD
View on NVD

Affected products (CPE)

ProductCPE
archive\ / \ cpe:2.3:a:archive\:\:tar_project:archive\:\:tar:*:*:*:*:*:perl:*:*

References