PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39243 kevva CVE debrief

CVE-2026-39243 is a vulnerability in the decompress package before version 4.2.2 that allows for arbitrary hardlink creation during archive extraction. This can lead to file read disclosure and file corruption. The vulnerability is due to the lack of validation when processing hardlink entries in the archive, specifically in the index.js file at line 113. The decompress package is used in various applications, and developers and administrators should be aware of this vulnerability and take steps to mitigate it. This is particularly important for applications that handle archive files from untrusted sources. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM.

Vendor
kevva
Product
decompress
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Developers and administrators using the decompress package in their applications should be aware of this vulnerability and take steps to mitigate it. This is particularly important for applications that handle archive files from untrusted sources. Affected operators, platforms, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The decompress package before version 4.2.2 does not properly validate hardlink entries in archives. When processing hardlink entries, the x.linkname field from the archive is passed directly to fs.link() without validation. This allows an attacker to craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. As a result, a hardlink is created inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting of the original file's content.

Defensive priority

Medium priority should be given to updating the decompress package to version 4.2.2 or later. In the meantime, users should exercise caution when extracting archives from untrusted sources.

Recommended defensive actions

  • Update the decompress package to version 4.2.2 or later.
  • Validate and sanitize archive files before extraction.
  • Implement additional security measures to monitor and restrict file system operations.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-09T22:17:04.113Z and was last modified on 2026-07-10T16:16:29.347Z. The NVD entry is currently 5.5 (MEDIUM). The decompress package before version 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:04.113Z and has not been modified since then.