Sign In

CVE-2026-26960

ADVISORY - github

Summary

Summary

tar.extract() in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.

This enables arbitrary file read and write as the extracting user (no root, no chmod, no preservePaths).

Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.

Details

The bypass chain uses two symlinks plus one hardlink:

  1. a/b/c/up -> ../..
  2. a/b/escape -> c/up/../..
  3. exfil (hardlink) -> a/b/escape/<target-relative-to-parent-of-extract>

Why this works:

  • Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.

    • See STRIPABSOLUTEPATH logic in:
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281

  • Hardlink extraction resolves target as path.resolve(cwd, entry.linkpath) and then calls fs.link(target, destination).

    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703

  • Parent directory safety checks (mkdir + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path.

    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101

As a result, exfil is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via exfil.

PoC

hardlink.js Environment used for validation:

  • Node: v25.4.0
  • tar: 7.5.7
  • OS: macOS Darwin 25.2.0
  • Extract options: defaults (tar.extract({ file, cwd }))

Steps:

  1. Prepare/locate a tar module. If require('tar') is not available locally, set TAR_MODULE to an absolute path to a tar package directory.

  2. Run:

TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js
  1. Expected vulnerable output (key lines):
same_inode=true
read_ok=true
write_ok=true
result=VULNERABLE

Interpretation:

  • same_inode=true: extracted exfil and external secret are the same file object.
  • read_ok=true: reading exfil leaks external content.
  • write_ok=true: writing exfil modifies external file.

Impact

Vulnerability type:

  • Arbitrary file read/write via archive extraction path confusion and link resolution.

Who is impacted:

  • Any application/service that extracts attacker-controlled tar archives with Node tar defaults.
  • Impact scope is the privileges of the extracting process user.

Potential outcomes:

  • Read sensitive files reachable by the process user.
  • Overwrite writable files outside extraction root.
  • Escalate impact depending on deployment context (keys, configs, scripts, app data).
EPSS Score: 0.00007 (0.005)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - redhat

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-26960
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7.1high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-83g3-92jg-28cx
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7.1high

Alpine

CREATED

UPDATED

ADVISORY IDCVE-2026-26960
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

UPDATED

ADVISORY IDCVE-2026-26960
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2026-26960
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.1medium

Amazon

CREATED

UPDATED

ADVISORY IDALAS2023-2026-1483
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

ADVISORY IDALAS2023-2026-1484
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

ADVISORY IDALAS2023-2026-1578
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-26960
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7.1medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-x5w5-w4hp-jcv9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-3fh2-fjfv-3c3v

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-49jv-84xg-438c

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-587w-8hwq-g923

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-5pxv-cmwh-wxwm

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-72vf-gv8w-wpgm

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-7fm7-wfqh-mqq8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-7vp2-q4cx-v885

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8cww-cp47-m2rc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8rpw-7377-68vg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-c294-457x-5h47

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-h84h-chmg-9whc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-hm3j-36wp-657f

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-hv8g-xx57-q6w9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-j244-8hr5-rvrf

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-p734-h8hc-h9vq

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-wp7x-cxm8-7433

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-x9hf-3mv2-675j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY