{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42496", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-04-27T18:34:48.417Z", "datePublished": "2026-05-26T00:17:19.110Z", "dateUpdated": "2026-05-28T13:08:37.326Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Archive-Tar", "product": "Archive::Tar", "programFiles": ["lib/Archive/Tar.pm"], "programRoutines": [{"name": "Archive::Tar::_make_special_file"}], "repo": "https://github.com/jib/archive-tar-new", "vendor": "BINGOS", "versions": [{"lessThan": "3.08", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-26T00:17:19.110Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"}, {"tags": ["related"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-42497"}], "solutions": [{"lang": "en", "value": "Upgrade to Archive::Tar 3.08 or later."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-04-12T00:00:00.000Z", "value": "Issue reported."}, {"lang": "en", "time": "2026-05-22T00:00:00.000Z", "value": "Version 3.08 released."}], "title": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T13:08:28.377579Z", "id": "CVE-2026-42496", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T13:08:37.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-42496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-28T13:08:28.377579Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T13:08:22.601Z"}}], "cna": {"title": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/jib/archive-tar-new", "vendor": "BINGOS", "product": "Archive::Tar", "versions": [{"status": "affected", "version": "0", "lessThan": "3.08", "versionType": "custom"}], "packageName": "Archive-Tar", "programFiles": ["lib/Archive/Tar.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Archive::Tar::_make_special_file"}]}], "timeline": [{"lang": "en", "time": "2026-04-12T00:00:00.000Z", "value": "Issue reported."}, {"lang": "en", "time": "2026-05-22T00:00:00.000Z", "value": "Version 3.08 released."}], "solutions": [{"lang": "en", "value": "Upgrade to Archive::Tar 3.08 or later."}], "references": [{"url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch", "tags": ["patch"]}, {"url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes", "tags": ["release-notes"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-42497", "tags": ["related"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-26T00:17:19.110Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42496", "state": "PUBLISHED", "dateUpdated": "2026-05-28T13:08:37.326Z", "dateReserved": "2026-04-27T18:34:48.417Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-05-26T00:17:19.110Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*", "matchCriteriaId": "CE0EEC28-8DB1-42B8-9D87-5E9AA5D1C168", "versionEndExcluding": "3.08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.\n\n_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.\n\nA subsequent open through the extracted name reads or writes the attacker chosen path."}], "id": "CVE-2026-42496", "lastModified": "2026-05-28T14:16:20.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-05-26T02:16:40.130", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"], "url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-42497"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{"bugzilla": {"description": "perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access", "id": "2481314", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481314"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in perl-Archive-Tar. Versions before 3.08 for Perl are vulnerable to a path traversal issue. An attacker can craft a malicious tar archive containing symlinks with targets outside the intended extraction directory. This vulnerability allows the attacker to read or write to arbitrary files on the system, leading to potential information disclosure or data corruption."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-42496", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "perl-Archive-Tar", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "perl-Archive-Tar", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "perl:5.32/perl-Archive-Tar", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "perl-Archive-Tar", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "perl-Archive-Tar", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-26T00:17:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-42496\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42496\nhttps://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch\nhttps://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes\nhttps://www.cve.org/CVERecord?id=CVE-2026-42497"], "statement": "This is an Important vulnerability in `perl-Archive-Tar` that allows for arbitrary file access due to a path traversal flaw when extracting specially crafted tar archives. An attacker could exploit this by creating a malicious archive containing symlinks that point outside the intended extraction directory, potentially leading to unauthorized information disclosure or data corruption on the system. This risk is elevated in environments where untrusted archives are processed.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.08)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Archive::Tar", "source": "cna", "vendor": "BINGOS"}, "product": "archive::tar", "vendor": "bingos"}], "created": "2026-05-26T02:30:26.400286+00:00", "updated": "2026-06-03T14:00:21.785540+00:00", "vendors": ["bingos", "bingos$PRODUCT$archive::tar"]}