PatchSiren cyber security CVE debrief
CVE-2026-44788 adamhathcock CVE debrief
## Summary SharpCompress versions 0.47.4 and earlier contain a path traversal vulnerability in `IArchive.WriteToDirectory()` that allows malicious archives to create directories outside the intended extraction root. For TAR archives, this can be chained with symlink entries to achieve arbitrary file writes on the target filesystem.
- Vendor
- adamhathcock
- Product
- sharpcompress
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations using SharpCompress for archive processing in .NET applications, particularly those handling untrusted archives from external sources. Developers of file management utilities, backup systems, content management systems, and any application performing automated archive extraction.
Technical summary
The vulnerability exists in the `IArchive.WriteToDirectory()` method of SharpCompress, a C# compression library. The method fails to properly validate archive entry paths, allowing directory traversal sequences ('..') to escape the intended extraction directory. For TAR archives specifically, the vulnerability can be escalated: a malicious TAR can contain a symlink entry pointing outside the extraction root, followed by a regular file entry that uses the symlink path, resulting in arbitrary file write capabilities. The attack requires user interaction (opening a malicious archive) and has high attack complexity, but successful exploitation grants high integrity impact with potential for availability impact. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Defensive priority
HIGH
Recommended defensive actions
- Upgrade SharpCompress to a version newer than 0.47.4 when available
- Validate and sanitize archive entry paths before extraction, rejecting entries containing '..' path components or absolute paths
- Implement extraction path validation that resolves canonical paths and verifies they remain within the intended destination directory
- For TAR archives, implement symlink validation to prevent symlink-based path traversal attacks
- Consider using sandboxed extraction environments with restricted filesystem permissions
- Review applications using SharpCompress for archive processing to identify exposure to untrusted archive sources
Evidence notes
- CVE published 2026-05-26T22:16:42.587Z per NVD record - Affects SharpCompress 0.47.4 and earlier - CVSS 3.1 score 5.9 (MEDIUM) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L - CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified - GitHub Security Advisory GHSA-6c8g-7p36-r338 is the primary reference
Official resources
-
CVE-2026-44788 CVE record
CVE.org
-
CVE-2026-44788 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26