{"id":"CVE-2026-42497","summary":"Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory","details":"Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.\n\n_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.\n\nA subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.","modified":"2026-06-18T03:54:58.779770285Z","published":"2026-05-26T00:17:50.656Z","database_specific":{"cna_assigner":"CPANSec","cwe_ids":["CWE-59","CWE-732"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42497.json"},"references":[{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2026-42496"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42497.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42497"},{"type":"FIX","url":"https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"},{"type":"PACKAGE","url":"https://github.com/jib/archive-tar-new"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jib/archive-tar-new","events":[{"introduced":"0"},{"fixed":"56670a5136ae16cacdca3ccd0735de044af01b48"},{"fixed":"17c873492a05eddc0de18c1485e0b2cccd5a9158"}],"database_specific":{"cpe":"cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*","extracted_events":[{"introduced":"0"},{"fixed":"3.08"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["3.06","3.04","3.02","3.00","2.40","2.38","2.36","2.34","2.32","2.30","2.28","2.26","2.24","2.22","2.20","2.18","2.16","2.14","2.12","2.10","2.08","2.06","2.04","2.02","2.00","1.98","1.96","1.94","1.93_02","1.93_01","1.92","1.88","1.86","1.84","1.82","1.80","1.78"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42497.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}