CVE-2026-42497

EUVD-2026-31777
Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory.

_make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode.

A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
archive\\
𝑥
< 3.08
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
perl
bookworm
postponed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
postponed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-Archive-Tar
Amazon Linux 2
0:1.92-3.amzn2.0.2
fixed
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed
perl-Archive-Tar-tests
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
perl
Azure Linux 3.0
0:5.38.2-510.azl3
fixed