VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2026

CVE-2026-42496

CVE-2026-42496

Description

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Archive::Tar before 3.08 for Perl extracts symlinks with absolute or traversal targets outside the extraction directory, enabling arbitrary file read/write.

Vulnerability

Archive::Tar versions before 3.08 for Perl contain a symlink extraction vulnerability in the _make_special_file() function. When processing tar entries with the symlink type, the function passes the attacker-controlled linkname from the tar header directly to symlink() without validating whether the target is an absolute path or contains .. traversal segments [1]. The secure-extract mode check that guards regular file extraction does not cover symlink targets, so even when secure mode is enabled (the default), this validation bypass is active [1].

Exploitation

An attacker must deliver a specially crafted tar archive containing a symlink entry whose linkname points to an arbitrary file outside the intended extraction directory (e.g., /etc/passwd or ../../../etc/shadow). The attacker does not require authentication beyond the ability to provide the archive to a user or process that extracts it with Archive::Tar. No special privileges are needed; the extraction occurs under the permissions of the target user [1].

Impact

On successful extraction, the created symlink points to the attacker-chosen path. Any subsequent file operation performed by the extracting process through that symlink (e.g., overwriting the symlink with a regular file) can read or write arbitrary files on the system at the privilege level of the extracting user. This can lead to information disclosure, privilege escalation, or arbitrary code execution if the attacker can write to a location like a startup script or library path [1].

Mitigation

Upgrade to Archive::Tar version 3.08 or later, released on 2026-05-21, which adds validation of symlink and hardlink targets in secure-extract mode [1][2]. The fix rejects absolute targets and paths containing .. segments when not running in insecure mode. No workaround is available for versions before 3.08; users must update the module [1].

References
  1. https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch
  2. Client Challenge

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
17c873492a05

Validate symlink and hardlink linkname in SECURE MODE

https://github.com/jib/archive-tar-newStig PalmquistMay 21, 2026via nvd-ref
commit
2 files changed · +32 0
  • lib/Archive/Tar.pm+30 0 modified
    @@ -955,6 +955,19 @@ sub _make_special_file {
     my $err;
 
     if( $entry->is_symlink ) {
+        if( !$INSECURE_EXTRACT_MODE ) {
+            my $linkname = $entry->linkname;
+            if( File::Spec->file_name_is_absolute($linkname) ) {
+                $self->_error( qq[Symlink '] . $entry->full_path .
+                    qq[' has absolute target. Not extracting under SECURE EXTRACT MODE] );
+                return;
+            }
+            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
+                $self->_error( qq[Symlink '] . $entry->full_path .
+                    qq[' target attempts traversal. Not extracting under SECURE EXTRACT MODE] );
+                return;
+            }
+        }
         my $fail;
         if( ON_UNIX ) {
             symlink( $entry->linkname, $file ) or $fail++;
@@ -968,6 +981,23 @@ sub _make_special_file {
                 $entry->linkname .q[' failed] if $fail;
 
     } elsif ( $entry->is_hardlink ) {
+        if( !$INSECURE_EXTRACT_MODE ) {
+            my $linkname = $entry->linkname;
+            if( File::Spec->file_name_is_absolute($linkname) ) {
+                $self->_error( qq[Hardlink '] . $entry->full_path .
+                    qq[' has absolute target '$linkname'. Not extracting ] .
+                    qq[under SECURE EXTRACT MODE: extraction itself chmods ] .
+                    qq[the shared inode.] );
+                return;
+            }
+            if( grep { $_ eq '..' } File::Spec->splitdir($linkname) ) {
+                $self->_error( qq[Hardlink '] . $entry->full_path .
+                    qq[' target '$linkname' attempts traversal. Not ] .
+                    qq[extracting under SECURE EXTRACT MODE: extraction ] .
+                    qq[itself chmods the shared inode.] );
+                return;
+            }
+        }
         my $fail;
         if( ON_UNIX && $EXTRACT_HARDLINK ) {
             link( $entry->linkname, $file ) or $fail++;
  • t/04_resolved_issues.t+2 0 modified
    @@ -220,6 +220,7 @@ if ($^O ne 'msys') # symlink tests fail on Windows/msys2
 		}
 
     { #use case 1 - in memory extraction
+      local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
 			my $t=Archive::Tar->new;
 			$t->read( $archname );
 			my $r = eval{ $t->extract };
@@ -231,6 +232,7 @@ if ($^O ne 'msys') # symlink tests fail on Windows/msys2
 
 		{ #use case 2 - iter extraction
 		  #$DB::single = 2;
+      local $Archive::Tar::INSECURE_EXTRACT_MODE=1;
 			my $next=Archive::Tar->iter( $archname, 1 );
 			my $failed = 0;
 			#use Data::Dumper;

Vulnerability mechanics

Root cause

"Missing validation of symlink and hardlink linkname targets in _make_special_file() allows extraction of symlinks pointing outside the extraction directory."

Attack vector

An attacker crafts a tar archive containing a symlink (or hardlink) entry whose linkname points to an attacker-chosen path, such as an absolute path like `/etc/passwd` or a relative traversal like `../../etc/passwd`. When Archive::Tar extracts the archive in secure-extract mode (the default), `_make_special_file()` calls `symlink( $entry->linkname, $file )` without checking the linkname [ref_id=1]. The extracted symlink then points outside the extraction directory. A subsequent read or write through that symlink accesses the attacker-chosen target path.

Affected code

The vulnerability resides in `_make_special_file()` in `lib/Archive/Tar.pm` [patch_id=2539785]. The function passes the tar header's `linkname` directly to `symlink()` (and `link()` for hardlinks) without validating whether the target is an absolute path or contains `..` traversal segments. The secure-extract-mode checks that protect regular file extraction did not cover symlink or hardlink targets.

What the fix does

The patch adds validation in `_make_special_file()` before calling `symlink()` or `link()` [patch_id=2539785]. When not in insecure-extract mode, it checks whether the linkname is absolute (via `File::Spec->file_name_is_absolute`) or contains `..` segments (via `grep` on `File::Spec->splitdir`). If either condition is true, the extraction is aborted with an error message. The test file `t/04_resolved_issues.t` is also updated to set `$Archive::Tar::INSECURE_EXTRACT_MODE=1` in existing tests that rely on symlinks, preserving backward compatibility for explicit insecure mode usage [ref_id=1].

Preconditions

  • configThe victim must extract a tar archive using Archive::Tar in secure-extract mode (the default).
  • inputThe attacker must supply a tar archive containing a symlink or hardlink entry with an absolute or traversal linkname.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.