Arbitrary file write in FileUtil#unpackEntries on Windows
Description
In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Hadoop on Windows is vulnerable to path traversal via TAR symlinks, allowing file extraction outside the target directory.
Vulnerability
The unTar function in Apache Hadoop uses unTarUsingJava on Windows and the built-in tar utility on Unix. A TAR entry can create a symbolic link within the extraction directory pointing to an external directory; a subsequent entry can extract an arbitrary file into that external directory via the symlink. This affects all versions prior to Apache Hadoop 3.2.3 [1][2].
Exploitation
An attacker must have the ability to supply a crafted TAR archive to the extraction function (e.g., through a Hadoop service that processes user-uploaded TAR files). On Windows, getCanonicalPath does not resolve symbolic links, so the targetDirPath check is bypassed. The exploitation sequence involves a TAR entry that creates a symlink (e.g., pointing to C:\Windows), followed by an entry that writes a malicious file using that symlink path [1].
Impact
Successful exploitation allows an attacker to write arbitrary files to any location on the Windows filesystem that the Hadoop process can access. This could result in remote code execution, privilege escalation, or data compromise [1].
Mitigation
The vulnerability is fixed in Apache Hadoop 3.2.3 [1][2]. Users should upgrade to this version or later. No workarounds are documented; running Hadoop on Windows with untrusted TAR extraction is not recommended without the fix.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-commonMaven | >= 3.2.0, < 3.2.3 | 3.2.3 |
org.apache.hadoop:hadoop-commonMaven | < 2.10.2 | 2.10.2 |
org.apache.hadoop:hadoop-commonMaven | >= 3.3.0, < 3.3.3 | 3.3.3 |
Affected products
2- Apache Software Foundation/Apache Hadoopv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-gx2c-fvhc-ph4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26612ghsaADVISORY
- github.com/apache/hadoop/commits/rel/release-2.10.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.javaghsaWEB
- github.com/apache/hadoop/commits/rel/release-3.2.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.javaghsaWEB
- github.com/apache/hadoop/commits/rel/release-3.3.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.javaghsaWEB
- github.com/apache/hadoop/commits/rel/release-3.4.0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.javaghsaWEB
- issues.apache.org/jira/browse/HADOOP-18317ghsaWEB
- lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyzghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220519-0004ghsaWEB
- security.netapp.com/advisory/ntap-20220519-0004/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.