Upstream information

CVE-2026-42496 at MITRE

Description

Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.

_make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.

A subsequent open through the extracted name reads or writes the attacker chosen path.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v3 Scores
CVSS detail CNA (0b0ca135-0b70-47e7-9f44-1890c2a1c46c) CNA (CISA-ADP) National Vulnerability Database
Base Score 8.2 9.1 9.1
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Local Network Network
Attack Complexity Low Low Low
Privileges Required Low None None
User Interaction Required None None
Scope Changed Unchanged Unchanged
Confidentiality Impact High High High
Integrity Impact High High High
Availability Impact High None None
CVSSv3 Version 3.1 3.1 3.1
No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 10
  • perl-Archive-Tar >= 3.02-512.el10_2.1
Patchnames:
RHSA-2026:30857
SUSE Liberty Linux 8
  • perl >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-Algorithm-Diff >= 1.1903-10.module+el8.10.0+21354+3ad137bb
  • perl-Archive-Tar >= 2.38-4.module+el8.10.0+24402+ce90c7a0
  • perl-Archive-Zip >= 1.68-3.module+el8.10.0+21354+3ad137bb
  • perl-Attribute-Handlers >= 1.01-474.module+el8.10.0+24099+8aa2f756
  • perl-AutoLoader >= 5.74-474.module+el8.10.0+24099+8aa2f756
  • perl-AutoSplit >= 5.74-474.module+el8.10.0+24099+8aa2f756
  • perl-B >= 1.80-474.module+el8.10.0+24099+8aa2f756
  • perl-Benchmark >= 1.23-474.module+el8.10.0+24099+8aa2f756
  • perl-CPAN >= 2.28-5.module+el8.10.0+21354+3ad137bb
  • perl-CPAN-DistnameInfo >= 0.12-13.module+el8.10.0+21354+3ad137bb
  • perl-CPAN-Meta >= 2.150010-397.module+el8.10.0+21354+3ad137bb
  • perl-CPAN-Meta-Requirements >= 2.140-397.module+el8.10.0+21354+3ad137bb
  • perl-CPAN-Meta-YAML >= 0.018-1001.module+el8.10.0+21354+3ad137bb
  • perl-Carp >= 1.50-439.module+el8.10.0+21354+3ad137bb
  • perl-Class-Struct >= 0.66-474.module+el8.10.0+24099+8aa2f756
  • perl-Compress-Bzip2 >= 2.28-2.module+el8.10.0+21354+3ad137bb
  • perl-Compress-Raw-Bzip2 >= 2.096-1.module+el8.10.0+21354+3ad137bb
  • perl-Compress-Raw-Lzma >= 2.096-1.module+el8.10.0+21354+3ad137bb
  • perl-Compress-Raw-Zlib >= 2.096-2.module+el8.10.0+21354+3ad137bb
  • perl-Config-Extensions >= 0.03-474.module+el8.10.0+24099+8aa2f756
  • perl-Config-Perl-V >= 0.32-441.module+el8.10.0+21354+3ad137bb
  • perl-DBM_Filter >= 0.06-474.module+el8.10.0+24099+8aa2f756
  • perl-DB_File >= 1.855-1.module+el8.10.0+21354+3ad137bb
  • perl-Data-Dumper >= 2.174-440.module+el8.10.0+21354+3ad137bb
  • perl-Data-OptList >= 0.110-7.module+el8.10.0+21354+3ad137bb
  • perl-Data-Section >= 0.200007-8.module+el8.10.0+21354+3ad137bb
  • perl-Devel-PPPort >= 3.62-1.module+el8.10.0+21354+3ad137bb
  • perl-Devel-Peek >= 1.28-474.module+el8.10.0+24099+8aa2f756
  • perl-Devel-SelfStubber >= 1.06-474.module+el8.10.0+24099+8aa2f756
  • perl-Devel-Size >= 0.83-3.module+el8.10.0+21354+3ad137bb
  • perl-Digest >= 1.20-1.module+el8.10.0+21354+3ad137bb
  • perl-Digest-MD5 >= 2.58-1.module+el8.10.0+21354+3ad137bb
  • perl-Digest-SHA >= 6.02-2.module+el8.10.0+21354+3ad137bb
  • perl-DirHandle >= 1.05-474.module+el8.10.0+24099+8aa2f756
  • perl-Dumpvalue >= 2.27-474.module+el8.10.0+24099+8aa2f756
  • perl-DynaLoader >= 1.47-474.module+el8.10.0+24099+8aa2f756
  • perl-Encode >= 3.08-461.module+el8.10.0+21354+3ad137bb
  • perl-Encode-Locale >= 1.05-10.module+el8.10.0+21354+3ad137bb
  • perl-Encode-devel >= 3.08-461.module+el8.10.0+21354+3ad137bb
  • perl-English >= 1.11-474.module+el8.10.0+24099+8aa2f756
  • perl-Env >= 1.04-396.module+el8.10.0+21354+3ad137bb
  • perl-Errno >= 1.30-474.module+el8.10.0+24099+8aa2f756
  • perl-Exporter >= 5.74-458.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-CBuilder >= 0.280236-1.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-Command >= 7.46-3.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-Constant >= 0.25-474.module+el8.10.0+24099+8aa2f756
  • perl-ExtUtils-Embed >= 1.35-474.module+el8.10.0+24099+8aa2f756
  • perl-ExtUtils-Install >= 2.20-1.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-MM-Utils >= 7.46-3.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-MakeMaker >= 7.46-3.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-Manifest >= 1.73-1.module+el8.10.0+21354+3ad137bb
  • perl-ExtUtils-Miniperl >= 1.09-474.module+el8.10.0+24099+8aa2f756
  • perl-ExtUtils-ParseXS >= 3.40-439.module+el8.10.0+21354+3ad137bb
  • perl-Fcntl >= 1.13-474.module+el8.10.0+24099+8aa2f756
  • perl-Fedora-VSP >= 0.001-10.module+el8.10.0+21354+3ad137bb
  • perl-File-Basename >= 2.85-474.module+el8.10.0+24099+8aa2f756
  • perl-File-Compare >= 1.100.600-474.module+el8.10.0+24099+8aa2f756
  • perl-File-Copy >= 2.34-474.module+el8.10.0+24099+8aa2f756
  • perl-File-DosGlob >= 1.12-474.module+el8.10.0+24099+8aa2f756
  • perl-File-Fetch >= 1.00-1.module+el8.10.0+21354+3ad137bb
  • perl-File-Find >= 1.37-474.module+el8.10.0+24099+8aa2f756
  • perl-File-HomeDir >= 1.004-6.module+el8.10.0+21354+3ad137bb
  • perl-File-Path >= 2.16-439.module+el8.10.0+21354+3ad137bb
  • perl-File-Temp >= 0.231.100-1.module+el8.10.0+21354+3ad137bb
  • perl-File-Which >= 1.23-4.module+el8.10.0+21354+3ad137bb
  • perl-File-stat >= 1.09-474.module+el8.10.0+24099+8aa2f756
  • perl-FileCache >= 1.10-474.module+el8.10.0+24099+8aa2f756
  • perl-FileHandle >= 2.03-474.module+el8.10.0+24099+8aa2f756
  • perl-Filter >= 1.60-1.module+el8.10.0+21354+3ad137bb
  • perl-Filter-Simple >= 0.96-457.module+el8.10.0+21354+3ad137bb
  • perl-FindBin >= 1.51-474.module+el8.10.0+24099+8aa2f756
  • perl-GDBM_File >= 1.18-474.module+el8.10.0+24099+8aa2f756
  • perl-Getopt-Long >= 2.52-1.module+el8.10.0+21354+3ad137bb
  • perl-Getopt-Std >= 1.12-474.module+el8.10.0+24099+8aa2f756
  • perl-HTTP-Tiny >= 0.078-1.module+el8.10.0+21354+3ad137bb
  • perl-Hash-Util >= 0.23-474.module+el8.10.0+24099+8aa2f756
  • perl-Hash-Util-FieldHash >= 1.20-474.module+el8.10.0+24099+8aa2f756
  • perl-I18N-Collate >= 1.02-474.module+el8.10.0+24099+8aa2f756
  • perl-I18N-LangTags >= 0.44-474.module+el8.10.0+24099+8aa2f756
  • perl-I18N-Langinfo >= 0.19-474.module+el8.10.0+24099+8aa2f756
  • perl-IO >= 1.43-474.module+el8.10.0+24099+8aa2f756
  • perl-IO-Compress >= 2.096-2.module+el8.10.0+24402+ce90c7a0
  • perl-IO-Compress-Lzma >= 2.096-1.module+el8.10.0+21354+3ad137bb
  • perl-IO-Socket-IP >= 0.41-2.module+el8.10.0+21354+3ad137bb
  • perl-IO-Zlib >= 1.10-474.module+el8.10.0+24099+8aa2f756
  • perl-IPC-Cmd >= 1.04-2.module+el8.10.0+21354+3ad137bb
  • perl-IPC-Open3 >= 1.21-474.module+el8.10.0+24099+8aa2f756
  • perl-IPC-SysV >= 2.09-1.module+el8.10.0+21354+3ad137bb
  • perl-IPC-System-Simple >= 1.30-3.module+el8.10.0+21354+3ad137bb
  • perl-Importer >= 0.025-6.module+el8.10.0+21354+3ad137bb
  • perl-JSON-PP >= 4.04-2.module+el8.10.0+21354+3ad137bb
  • perl-Locale-Maketext >= 1.29-440.module+el8.10.0+21354+3ad137bb
  • perl-Locale-Maketext-Simple >= 0.21-474.module+el8.10.0+24099+8aa2f756
  • perl-MIME-Base64 >= 3.15-1001.module+el8.10.0+21354+3ad137bb
  • perl-MRO-Compat >= 0.13-5.module+el8.10.0+21354+3ad137bb
  • perl-Math-BigInt >= 1.9998.18-1.module+el8.10.0+21354+3ad137bb
  • perl-Math-BigInt-FastCalc >= 0.500.900-1.module+el8.10.0+21354+3ad137bb
  • perl-Math-BigRat >= 0.2614-2.module+el8.10.0+21354+3ad137bb
  • perl-Math-Complex >= 1.59-474.module+el8.10.0+24099+8aa2f756
  • perl-Memoize >= 1.03-474.module+el8.10.0+24099+8aa2f756
  • perl-Module-Build >= 0.42.31-5.module+el8.10.0+21354+3ad137bb
  • perl-Module-CoreList >= 5.20211020-1.module+el8.10.0+21354+3ad137bb
  • perl-Module-CoreList-tools >= 5.20211020-1.module+el8.10.0+21354+3ad137bb
  • perl-Module-Load >= 0.36-1.module+el8.10.0+21354+3ad137bb
  • perl-Module-Load-Conditional >= 0.74-1.module+el8.10.0+21354+3ad137bb
  • perl-Module-Loaded >= 0.08-474.module+el8.10.0+24099+8aa2f756
  • perl-Module-Metadata >= 1.000037-1.module+el8.10.0+21354+3ad137bb
  • perl-NDBM_File >= 1.15-474.module+el8.10.0+24099+8aa2f756
  • perl-NEXT >= 0.67-474.module+el8.10.0+24099+8aa2f756
  • perl-Net >= 1.02-474.module+el8.10.0+24099+8aa2f756
  • perl-Net-Ping >= 2.72-474.module+el8.10.0+24099+8aa2f756
  • perl-ODBM_File >= 1.16-474.module+el8.10.0+24099+8aa2f756
  • perl-Object-HashBase >= 0.009-4.module+el8.10.0+21354+3ad137bb
  • perl-Object-HashBase-tools >= 0.009-4.module+el8.10.0+21354+3ad137bb
  • perl-Opcode >= 1.48-474.module+el8.10.0+24099+8aa2f756
  • perl-POSIX >= 1.94-474.module+el8.10.0+24099+8aa2f756
  • perl-Package-Generator >= 1.106-12.module+el8.10.0+21354+3ad137bb
  • perl-Params-Check >= 0.38-396.module+el8.10.0+21354+3ad137bb
  • perl-Params-Util >= 1.102-2.module+el8.10.0+21354+3ad137bb
  • perl-PathTools >= 3.78-439.module+el8.10.0+21354+3ad137bb
  • perl-Perl-OSType >= 1.010-397.module+el8.10.0+21354+3ad137bb
  • perl-PerlIO-via-QuotedPrint >= 0.09-1.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Checker >= 1.74-1.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Escapes >= 1.07-396.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Functions >= 1.13-474.module+el8.10.0+24099+8aa2f756
  • perl-Pod-Html >= 1.25-474.module+el8.10.0+24099+8aa2f756
  • perl-Pod-Parser >= 1.63-1001.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Perldoc >= 3.28.01-443.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Simple >= 3.42-1.module+el8.10.0+21354+3ad137bb
  • perl-Pod-Usage >= 2.01-1.module+el8.10.0+21354+3ad137bb
  • perl-Safe >= 2.41-474.module+el8.10.0+24099+8aa2f756
  • perl-Scalar-List-Utils >= 1.55-457.module+el8.10.0+21354+3ad137bb
  • perl-Search-Dict >= 1.07-474.module+el8.10.0+24099+8aa2f756
  • perl-SelectSaver >= 1.02-474.module+el8.10.0+24099+8aa2f756
  • perl-SelfLoader >= 1.26-474.module+el8.10.0+24099+8aa2f756
  • perl-Socket >= 2.031-1.module+el8.10.0+21354+3ad137bb
  • perl-Software-License >= 0.103014-5.module+el8.10.0+21354+3ad137bb
  • perl-Storable >= 3.21-457.module+el8.10.0+21354+3ad137bb
  • perl-Sub-Exporter >= 0.987-17.module+el8.10.0+21354+3ad137bb
  • perl-Sub-Install >= 0.928-15.module+el8.10.0+21354+3ad137bb
  • perl-Symbol >= 1.08-474.module+el8.10.0+24099+8aa2f756
  • perl-Sys-Hostname >= 1.23-474.module+el8.10.0+24099+8aa2f756
  • perl-Sys-Syslog >= 0.36-1.module+el8.10.0+21354+3ad137bb
  • perl-Term-ANSIColor >= 5.01-458.module+el8.10.0+21354+3ad137bb
  • perl-Term-Cap >= 1.17-396.module+el8.10.0+21354+3ad137bb
  • perl-Term-Complete >= 1.403-474.module+el8.10.0+24099+8aa2f756
  • perl-Term-ReadLine >= 1.17-474.module+el8.10.0+24099+8aa2f756
  • perl-Term-Table >= 0.015-2.module+el8.10.0+21354+3ad137bb
  • perl-Test >= 1.31-474.module+el8.10.0+24099+8aa2f756
  • perl-Test-Harness >= 3.42-2.module+el8.10.0+21354+3ad137bb
  • perl-Test-Simple >= 1.302181-2.module+el8.10.0+21354+3ad137bb
  • perl-Text-Abbrev >= 1.02-474.module+el8.10.0+24099+8aa2f756
  • perl-Text-Balanced >= 2.04-1.module+el8.10.0+21354+3ad137bb
  • perl-Text-Diff >= 1.45-7.module+el8.10.0+21354+3ad137bb
  • perl-Text-Glob >= 0.11-5.module+el8.10.0+21354+3ad137bb
  • perl-Text-ParseWords >= 3.30-396.module+el8.10.0+21354+3ad137bb
  • perl-Text-Tabs+Wrap >= 2013.0523-396.module+el8.10.0+21354+3ad137bb
  • perl-Text-Template >= 1.58-1.module+el8.10.0+21354+3ad137bb
  • perl-Thread >= 3.05-474.module+el8.10.0+24099+8aa2f756
  • perl-Thread-Queue >= 3.14-457.module+el8.10.0+21354+3ad137bb
  • perl-Thread-Semaphore >= 2.13-474.module+el8.10.0+24099+8aa2f756
  • perl-Tie >= 4.6-474.module+el8.10.0+24099+8aa2f756
  • perl-Tie-File >= 1.06-474.module+el8.10.0+24099+8aa2f756
  • perl-Tie-Memoize >= 1.1-474.module+el8.10.0+24099+8aa2f756
  • perl-Tie-RefHash >= 1.39-474.module+el8.10.0+24099+8aa2f756
  • perl-Time >= 1.03-474.module+el8.10.0+24099+8aa2f756
  • perl-Time-HiRes >= 1.9764-459.module+el8.10.0+21354+3ad137bb
  • perl-Time-Local >= 1.300-4.module+el8.10.0+21354+3ad137bb
  • perl-Time-Piece >= 1.3401-474.module+el8.10.0+24099+8aa2f756
  • perl-URI >= 1.76-5.module+el8.10.0+21354+3ad137bb
  • perl-Unicode-Collate >= 1.29-1.module+el8.10.0+21354+3ad137bb
  • perl-Unicode-Normalize >= 1.27-458.module+el8.10.0+21354+3ad137bb
  • perl-Unicode-UCD >= 0.75-474.module+el8.10.0+24099+8aa2f756
  • perl-User-pwent >= 1.03-474.module+el8.10.0+24099+8aa2f756
  • perl-autodie >= 2.34-1.module+el8.10.0+21354+3ad137bb
  • perl-autouse >= 1.11-474.module+el8.10.0+24099+8aa2f756
  • perl-base >= 2.27-474.module+el8.10.0+24099+8aa2f756
  • perl-bignum >= 0.51-439.module+el8.10.0+21354+3ad137bb
  • perl-blib >= 1.07-474.module+el8.10.0+24099+8aa2f756
  • perl-constant >= 1.33-1001.module+el8.10.0+21354+3ad137bb
  • perl-debugger >= 1.56-474.module+el8.10.0+24099+8aa2f756
  • perl-deprecate >= 0.04-474.module+el8.10.0+24099+8aa2f756
  • perl-devel >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-diagnostics >= 1.37-474.module+el8.10.0+24099+8aa2f756
  • perl-doc >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-encoding >= 3.00-461.module+el8.10.0+21354+3ad137bb
  • perl-encoding-warnings >= 0.13-474.module+el8.10.0+24099+8aa2f756
  • perl-experimental >= 0.025-1.module+el8.10.0+21354+3ad137bb
  • perl-fields >= 2.27-474.module+el8.10.0+24099+8aa2f756
  • perl-filetest >= 1.03-474.module+el8.10.0+24099+8aa2f756
  • perl-generators >= 1.13-1.module+el8.10.0+21354+3ad137bb
  • perl-homedir >= 2.000024-7.module+el8.10.0+21354+3ad137bb
  • perl-if >= 0.60.800-474.module+el8.10.0+24099+8aa2f756
  • perl-inc-latest >= 0.500-10.module+el8.10.0+21354+3ad137bb
  • perl-interpreter >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-less >= 0.03-474.module+el8.10.0+24099+8aa2f756
  • perl-lib >= 0.65-474.module+el8.10.0+24099+8aa2f756
  • perl-libnet >= 3.13-1.module+el8.10.0+21354+3ad137bb
  • perl-libnetcfg >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-libs >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-local-lib >= 2.000024-7.module+el8.10.0+21354+3ad137bb
  • perl-locale >= 1.09-474.module+el8.10.0+24099+8aa2f756
  • perl-macros >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-meta-notation >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-mro >= 1.23-474.module+el8.10.0+24099+8aa2f756
  • perl-open >= 1.12-474.module+el8.10.0+24099+8aa2f756
  • perl-overload >= 1.31-474.module+el8.10.0+24099+8aa2f756
  • perl-overloading >= 0.02-474.module+el8.10.0+24099+8aa2f756
  • perl-parent >= 0.238-457.module+el8.10.0+21354+3ad137bb
  • perl-perlfaq >= 5.20210520-1.module+el8.10.0+21354+3ad137bb
  • perl-ph >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-podlators >= 4.14-457.module+el8.10.0+21354+3ad137bb
  • perl-sigtrap >= 1.09-474.module+el8.10.0+24099+8aa2f756
  • perl-sort >= 2.04-474.module+el8.10.0+24099+8aa2f756
  • perl-subs >= 1.03-474.module+el8.10.0+24099+8aa2f756
  • perl-threads >= 2.25-457.module+el8.10.0+21354+3ad137bb
  • perl-threads-shared >= 1.61-457.module+el8.10.0+21354+3ad137bb
  • perl-utils >= 5.32.1-474.module+el8.10.0+24099+8aa2f756
  • perl-vars >= 1.05-474.module+el8.10.0+24099+8aa2f756
  • perl-version >= 0.99.29-1.module+el8.10.0+21354+3ad137bb
  • perl-vmsish >= 1.04-474.module+el8.10.0+24099+8aa2f756
Patchnames:
RHSA-2026:30851
RHSA-2026:30852
SUSE Liberty Linux 9
  • perl-Archive-Tar >= 2.38-6.el9_8.1
Patchnames:
RHSA-2026:30856


SUSE Timeline for this CVE

CVE page created: Tue May 26 03:00:03 2026
CVE page last modified: Wed Jul 1 21:44:27 2026