Fluid Attacks Database

Description

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 12	perl	=5.36.0-10 \|\| =5.36.0-7 \|\| =5.36.0-7+deb12u1 \|\| =5.36.0-7+deb12u2 \|\| =5.36.0-7+deb12u3 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1
debian 11	perl	=5.32.1-4 \|\| =5.32.1-4+deb11u1 \|\| =5.32.1-4+deb11u2 \|\| =5.32.1-4+deb11u3 \|\| =5.32.1-4+deb11u4 \|\| =5.32.1-4+deb11u5 \|\| =5.32.1-5 \|\| =5.32.1-6 \|\| =5.34.0-1 \|\| =5.34.0-2 \|\| =5.34.0-3 \|\| =5.34.0-4 \|\| =5.34.0-5 \|\| =5.34.0~rc2-1 \|\| =5.36.0-1 \|\| =5.36.0-10 \|\| =5.36.0-2 \|\| =5.36.0-3 \|\| =5.36.0-4 \|\| =5.36.0-5 \|\| =5.36.0-6 \|\| =5.36.0-7 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1
debian 13	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1
debian 14	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1

Aliases

1. CVE-2026-424972. NVD-2026-424973. OSV-DEBIAN-2026-424974. OSV-2026-424975. SECURITY-TRACKER-CVE-2026-42497

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.