Bug 2445881 (CVE-2026-31802)

Summary: CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, aschwart, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, bstansbe, caswilli, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dlofthou, dmayorov, doconnor, dosoudil, drosa, drow, eaguilar, ebaron, fjuma, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcantril, jchui, jhe, jkoehler, jlledo, jolong, jrokos, kaycoth, ktsao, kvanderr, kverlaen, lball, lchilton, lphiri, manissin, mnovotny, mosmerov, mposolda, mstipich, msvehla, nboldt, ngough, nwallace, orabin, pahickey, pantinor, parichar, pberan, pdelbell, pesilva, pjindal, pmackay, psrna, rexwhite, rhaigner, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, smaestri, ssilvert, sthirugn, sthorger, tasato, teagle, thjenkin, tom.jenkinson, tsedmik, vdosoudi, veshanka, vkumar, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in tar. An attacker can exploit this vulnerability by crafting a malicious tar archive containing a drive-relative symlink. This symlink, such as C:../../../target.txt, can trick the tar utility into writing files outside the intended extraction directory during normal archive extraction, leading to unauthorized file overwrite.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-09 22:01:54 UTC 
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.