Directory Traversal Risk in Archive::Tar by Perl
CVE-2026-42497

Currently unrated

Key Information:

Vendor

Bingos

Status
Archive::tar
Vendor
CVE Published:
26 May 2026

What is CVE-2026-42497?

The Archive::Tar module for Perl, prior to version 3.08, contains a vulnerability that allows attackers to create hardlinks to files outside the intended extraction directory. This occurs when the function _make_special_file() does not validate the linkname against absolute paths or parent directory traversal sequences (..). Consequently, an attacker can craft a tar file that creates a hardlink, sharing the inode of a victim file. Any modifications made to the extracted file through this hardlink inadvertently alter the original file, leading to potential data loss and integrity issues. Additionally, subsequent permission changes applied during extraction can affect the victim file, further complicating the security implications of this vulnerability.

Affected Version(s)

Archive::Tar 0 < 3.08

References

https://github.com/jib/archive-tar-new/commit/17c873492a0...
patch
https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes
release-notes
https://www.cve.org/CVERecord?id=CVE-2026-42496
related

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.