Bug 2441253 (CVE-2026-26960)

Summary: CVE-2026-26960 tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, abuckta, akostadi, alcohan, amasferr, aschwart, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dmayorov, doconnor, dosoudil, drosa, drow, eaguilar, ebaron, fjuma, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcantril, jkoehler, jlledo, jolong, jrokos, kaycoth, kvanderr, kverlaen, lball, lchilton, lphiri, manissin, mnovotny, mosmerov, mposolda, mstipich, msvehla, ngough, nwallace, orabin, pahickey, pantinor, parichar, pberan, pdelbell, pesilva, pjindal, pmackay, rexwhite, rhaigner, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, smaestri, ssilvert, sthirugn, sthorger, tasato, teagle, tom.jenkinson, tsedmik, veshanka, vkumar, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in node-tar. An attacker can craft a malicious archive that, when extracted with default options, creates a hardlink outside the intended extraction directory. This vulnerability allows the attacker to perform arbitrary file read and write operations as the user extracting the archive, bypassing existing path protections. This can lead to unauthorized access and modification of sensitive system files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2441337, 2441338, 2441340, 2441341, 2441342, 2441348, 2441350, 2441351, 2441353, 2441354, 2441355, 2441359, 2441361, 2441362, 2441339, 2441343, 2441344, 2441346, 2441347, 2441349, 2441352, 2441356, 2441357, 2441358, 2441360, 2441363    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-20 02:01:31 UTC 
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.