PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42497 BINGOS CVE debrief

Archive::Tar versions before 3.08 for Perl are vulnerable to a path traversal via hardlink extraction. The _make_special_file() function passes the tar header's linkname directly to link() without validating against absolute paths or directory traversal sequences (..). This allows creation of a hardlink to an attacker-controlled path outside the extraction directory, sharing the inode of a victim file. Subsequent writes through the extracted filename modify the victim file, and the post-extraction chmod, chown, and utime operations in _extract_file()—which are guarded only against symlinks via -l—apply the tar header's mode, owner, and timestamps to the shared inode during extraction. The vulnerability was published on 2026-05-26 and last modified on 2026-05-26.

Vendor
BINGOS
Product
Archive::Tar
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

System administrators running Perl applications that process untrusted tar archives, developers using Archive::Tar for archive handling, security teams monitoring for path traversal vulnerabilities in supply chain dependencies, and organizations with automated build or deployment pipelines that extract archives from external sources.

Technical summary

The vulnerability exists in Archive::Tar's handling of hardlinks during archive extraction. When processing a tar archive containing a hardlink entry, the _make_special_file() function extracts the linkname from the tar header and passes it directly to the system link() call without sanitization. This allows an attacker to specify absolute paths (e.g., /etc/passwd) or relative paths with directory traversal (e.g., ../../../etc/passwd) as the link target. The hardlink is created within the extraction directory but points to a file outside it, causing both filenames to share the same inode. When the extraction process subsequently writes data to the extracted filename, the victim file is modified. Additionally, the _extract_file() function applies chmod, chown, and utime operations based on the tar header's mode, uid/gid, and timestamps. These operations are protected against symlinks via Perl's -l file test, but hardlinks pass this check, causing the permission and timestamp changes to be applied to the shared inode—modifying the victim file's attributes. This can lead to privilege escalation if system files are targeted, or denial of service through corruption of critical files.

Defensive priority

high

Recommended defensive actions

  • Upgrade Archive::Tar to version 3.08 or later
  • Validate all tar archive contents before extraction in untrusted contexts
  • Apply principle of least privilege when running Perl applications that process tar archives
  • Monitor for unexpected file permission or ownership changes on critical system files
  • Review application logs for extraction of archives containing hardlinks with absolute or traversal paths

Evidence notes

The vulnerability description indicates that _make_special_file() in Archive::Tar before 3.08 fails to validate the linkname field from tar headers against absolute paths or .. segments before passing it to link(). The _extract_file() function's post-extraction permission and timestamp modifications are only guarded against symlinks (-l test), not hardlinks, allowing these operations to affect files outside the intended extraction directory through the shared inode.

Official resources

2026-05-26