CVE-2026-42496

makespecial_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.

Database specific

{
    "cna_assigner": "CPANSec",
    "cwe_ids": [
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42496.json"
}

References

Affected packages

Git / github.com/jib/archive-tar-new

Affected ranges

Type

GIT

Repo

https://github.com/jib/archive-tar-new

Events

Introduced

Fixed

56670a5136ae16cacdca3ccd0735de044af01b48

Fixed

17c873492a05eddc0de18c1485e0b2cccd5a9158

Database specific

{
    "cpe": "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.08"
        }
    ]
}

Affected versions

1.*

1.78

1.80

1.82

1.84

1.86

1.88

1.92

1.93_01

1.93_02

1.94

1.96

1.98

2.*

2.00

2.02

2.04

2.06

2.08

2.10

2.12

2.14

2.16

2.18

2.20

2.22

2.24

2.26

2.28

2.30

2.32

2.34

2.36

2.38

2.40

3.*

3.00

3.02

3.04

3.06

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42496.json"