CVE-2026-42496 BINGOS CVE debrief

Who should care

Organizations using Perl applications that process untrusted tar archives, particularly those running with elevated privileges or in multi-tenant environments where archive extraction occurs.

Technical summary

The vulnerability exists in Archive::Tar versions prior to 3.08. When extracting symbolic links from tar archives, the _make_special_file() function uses the linkname field from the tar header as the symlink target without validation. This allows absolute paths (e.g., /etc/passwd) or relative paths with directory traversal (e.g., ../../../etc/passwd) to be used as symlink targets. The secure-extract mode, which provides path validation for regular files, does not extend to symlink targets. After extraction, operations on the symlink name resolve to the attacker-controlled target path, potentially enabling arbitrary file read or write depending on subsequent application behavior.

Defensive priority

high

Recommended defensive actions

• Upgrade Archive::Tar to version 3.08 or later
• Review applications that extract untrusted tar archives for symlink handling
• Apply principle of least privilege to processes handling archive extraction
• Monitor for anomalous file system access patterns from archive extraction operations

Evidence notes

The vulnerability description indicates that symlink targets are not validated against absolute paths or .. segments during extraction, and that the secure-extract mode check does not cover symlink targets. The weakness is classified as CWE-59 (Improper Link Resolution Before File Access). A patch commit and version 3.08 changelog are referenced as sources.

Official resources