CVE-2026-42496

EUVD-2026-31774
Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.
Link Following
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
archive\\
𝑥
< 3.08
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
perl
bookworm
postponed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
postponed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
perl-Archive-Tar
RHEL 9
0:2.38-6.el9_8.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-Archive-Tar
Amazon Linux 2
0:1.92-3.amzn2.0.2
fixed
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed
perl-Archive-Tar-tests
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
perl
Azure Linux 3.0
0:5.38.2-510.azl3
fixed