CVE-2026-42496

CVE-2026-42496: Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory

Vendor Bingos
Product Archive::Tar
Weakness CWE-59
Published May 26, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE