CVE-2026-12565 Black Lantern Security CVE debrief

Who should care

Developers and administrators using the unarchive internal module, especially those with systems running GNU tar < 1.34, should be aware of this vulnerability. This includes users of Ubuntu 20.04, Debian Buster, CentOS 7, and many Docker base images. They should assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The unarchive internal module's archive extraction commands do not perform code-level validation on extracted file paths, relying on external tools like GNU tar. On systems with GNU tar < 1.34, a malicious archive can write files outside the intended extraction directory, potentially leading to file system corruption and code execution. This vulnerability was not fully addressed by CVE-2025-10284, which only fixed git-specific RCE vectors.

Defensive priority

Medium

Recommended defensive actions

• Update the unarchive module to a version that performs code-level validation on extracted file paths.
• Use a platform with GNU tar 1.34 or later.
• Validate and sanitize archive file paths before extraction.
• Implement additional security measures, such as file system access controls and monitoring.
• Regularly review and update dependencies to ensure they are free from known vulnerabilities.
• Consider using alternative archive extraction tools that provide better security features.

Evidence notes

The information provided is based on the CVE-2026-12565 record from the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. The vulnerability details and CVSS score were obtained from these official sources.

Official resources