Symlink Vulnerability in Archive::Tar for Perl by Jib
CVE-2026-42496

Currently unrated

Key Information:

Vendor

Bingos

Status
Archive::tar
Vendor
CVE Published:
26 May 2026

What is CVE-2026-42496?

The Archive::Tar module for Perl, specifically versions prior to 3.08, contains a vulnerability that allows symlinks to be extracted with attacker-controlled targets outside of the designated extraction directory. The function _make_special_file() directly passes the linkname from the tar header to symlink(), without performing necessary validation against absolute paths or parent directory references. This oversight enables an attacker to specify arbitrary paths, potentially compromising the security of the file system. The lack of protections in the secure-extract mode concerning symlink targets poses significant security risks when files are subsequently opened through these extracted symlinks.

Affected Version(s)

Archive::Tar 0 < 3.08

References

https://github.com/jib/archive-tar-new/commit/17c873492a0...
patch
https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes
release-notes
https://www.cve.org/CVERecord?id=CVE-2026-42497
related

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.