{"id":"CVE-2026-42496","summary":"Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory","details":"Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path.","modified":"2026-06-18T03:56:11.464263358Z","published":"2026-05-26T00:17:19.110Z","database_specific":{"cwe_ids":["CWE-59"],"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42496.json"},"references":[{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2026-42497"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42496.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42496"},{"type":"FIX","url":"https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"},{"type":"PACKAGE","url":"https://github.com/jib/archive-tar-new"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jib/archive-tar-new","events":[{"introduced":"0"},{"fixed":"56670a5136ae16cacdca3ccd0735de044af01b48"},{"fixed":"17c873492a05eddc0de18c1485e0b2cccd5a9158"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.08"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*"}}],"versions":["3.06","3.04","3.02","3.00","2.40","2.38","2.36","2.34","2.32","2.30","2.28","2.26","2.24","2.22","2.20","2.18","2.16","2.14","2.12","2.10","2.08","2.06","2.04","2.02","2.00","1.98","1.96","1.94","1.93_02","1.93_01","1.92","1.88","1.86","1.84","1.82","1.80","1.78"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42496.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}