Bug 2441253 (CVE-2026-26960) - CVE-2026-26960 tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
Summary: CVE-2026-26960 tar: node-tar: node-tar: Arbitrary file read/write via malicio...
Keywords:
Status: NEW
Alias: CVE-2026-26960
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2441337 2441338 2441340 2441341 2441342 2441348 2441350 2441351 2441352 2441353 2441354 2441355 2441359 2441361 2441362 2441363 2441339 2441343 2441344 2441346 2441347 2441349 2441356 2441357 2441358 2441360
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-20 02:01 UTC by OSIDB Bzimport
Modified: 2026-02-20 14:03 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-20 02:01:31 UTC 
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Note You need to log in before you can comment on or make changes to this bug.