CVE-2026-42497

ADVISORY - nist

Summary

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.

_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.

A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

EPSS Score⁠: 0.00048 (0.151)

Common Weakness Enumeration (CWE)

ADVISORY - nist

NIST

CREATED

10 days ago

UPDATED

7 days ago

ADVISORY IDCVE-2026-42497⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-59⁠CWE-732⁠

CVSS SCORE

7.5high

Debian

CREATED

10 days ago

UPDATED

9 days ago

ADVISORY IDCVE-2026-42497⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

9 days ago

UPDATED

6 days ago

ADVISORY IDCVE-2026-42497⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

CVE-2026-42497

Summary

Common Weakness Enumeration (CWE)

CWE-59⁠

CWE-732⁠

Advisories

NIST

CVSS SCORE

Debian

Ubuntu

CVSS SCORE