PT-2026-43163 · Cpan · Archive Tar

Stig Palmquist

·

Published

2026-05-26

·

Updated

2026-06-25

·

CVE-2026-42497

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Archive::Tar versions prior to 3.08
Description Archive::Tar for Perl allows the extraction of hardlinks to attacker-controlled paths outside the intended extraction directory. The function make special file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, which creates a hardlink sharing the victim file's inode. A subsequent write through the extracted name modifies the victim file. Additionally, the post-extraction chmod, chown, and utime block in extract file() applies the tar header's mode, owner, and timestamps to the shared inode during extraction, as it is only guarded against symlinks via -l.
Recommendations Update to version 3.08 or later.

Exploit

Fix

Link Following

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42497
ECHO-CFD1-A043-7D5C

Affected Products

Archive Tar