Vulnerabilities ›

CVE-2026-42497

High

CWE-59 — Weakness Type

                    Published: May 26, 2026                      ·  Modified: Jun 2, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.

_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.

A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

🤖 AI Executive Summary

Archive::Tar versions before 3.08 for Perl fail to validate hardlink paths during extraction, allowing attackers to create hardlinks to files outside the extraction directory. This vulnerability enables arbitrary file modification through inode sharing when extracted files are written and their permissions are applied.

📄 Description (Arabic)

تفشل Archive::Tar في الإصدارات السابقة للإصدار 3.08 في التحقق من صحة مسارات الروابط الثابتة أثناء استخراج ملفات tar، مما يسمح للمهاجمين بإنشاء روابط ثابتة إلى ملفات خارج دليل الاستخراج. يمكن للمهاجم تعديل الملفات التعسفية من خلال مشاركة inode عند كتابة الملفات المستخرجة وتطبيق الأذونات.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 00:03

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom energy government healthcare

🎯 MITRE ATT&CK Techniques

T1566.001 T1204.002 T1027.001

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update Archive::Tar to version 3.08 or later immediately. Validate all hardlink paths in tar archives before extraction to ensure they do not reference absolute paths or contain .. segments. Implement strict extraction directory boundaries and restrict file operations to the intended extraction directory only.

🔧 خطوات المعالجة (العربية)

قم بتحديث Archive::Tar إلى الإصدار 3.08 أو أحدث فوراً. تحقق من جميع مسارات الروابط الثابتة في ملفات tar قبل الاستخراج للتأكد من عدم الإشارة إلى مسارات مطلقة أو احتواؤها على مقاطع ... قم بتنفيذ حدود صارمة لدليل الاستخراج وقيد عمليات الملفات على دليل الاستخراج المقصود فقط.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1 A.7.2 A.12.6

🔵 SAMA CSF

ID.BE-1 PR.DS-1 PR.DS-2

🟡 ISO 27001:2022

A.12.2.1 A.14.1.1 A.14.2.1

🔗 References & Sources 3

🔗

https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158....

9b29abf9-4ab0-4765-b253-1875cd9b441e

Patch

🔗

https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes

9b29abf9-4ab0-4765-b253-1875cd9b441e

Release Notes

🔗

https://www.cve.org/CVERecord?id=CVE-2026-42496

9b29abf9-4ab0-4765-b253-1875cd9b441e

Third Party Advisory

📦 Affected Products / CPE 1 entries

archive\:\:tar_project

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-59

EPSS0.04%

Exploit No

Patch ✓ Yes

Published 2026-05-26

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-59

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-42497

Introduce Yourself

Sign In Required