Platform
linux
Component
tar
Fixed in
1.37.0
CVE-2026-5704 describes a hidden file injection vulnerability discovered in GNU tar. An attacker can exploit this flaw by crafting a specially designed archive, bypassing pre-extraction inspection and introducing malicious files onto a system without detection. This vulnerability impacts versions 1.0.0 through 1.36.0 of tar, and a fix is available in version 1.37.0.
The primary impact of CVE-2026-5704 is the ability for a remote attacker to inject arbitrary files into a system during archive extraction. Because the injection bypasses pre-extraction inspection mechanisms, malicious files can be introduced without being detected by standard security controls. This could lead to a variety of consequences, including the execution of malicious code, data exfiltration, or the compromise of system integrity. The attacker essentially gains the ability to place files on the target system with full control over their content, potentially leading to persistent backdoors or further exploitation opportunities. While the initial injection is limited to the extraction process, the injected files could then be leveraged to escalate privileges or move laterally within the network.
CVE-2026-5704 was publicly disclosed on 2026-04-06. Currently, there are no known active campaigns exploiting this vulnerability, and no public proof-of-concept (PoC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 5 (Medium) indicates a moderate probability of exploitation if a PoC is developed and widely distributed.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5704 is to upgrade to GNU tar version 1.37.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include stricter file permission controls on extracted directories, enhanced pre-extraction scanning of archives using tools like ClamAV, or temporarily disabling archive extraction functionality if it is not essential. Reviewing and auditing archive extraction processes is crucial to identify potential attack vectors. After upgrading, confirm the fix by attempting to extract a known malicious archive and verifying that the injection is prevented.
Update the 'tar' package to version 1.37.0 or higher to mitigate the hidden file injection vulnerability. This update corrects the issue by properly validating filenames during the extraction process, preventing the creation of unwanted hidden files. Refer to the Red Hat release notes for detailed update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5704 is a medium severity vulnerability in GNU tar allowing attackers to inject malicious files into a system by crafting a specially designed archive, bypassing inspection mechanisms.
You are affected if you are using GNU tar versions 1.0.0 through 1.36.0 and process archives from untrusted sources.
Upgrade to GNU tar version 1.37.0 or later to resolve the vulnerability. If upgrading is not immediately possible, implement temporary workarounds like stricter file permissions and enhanced scanning.
As of now, there are no known active campaigns exploiting CVE-2026-5704, and no public proof-of-concept code has been released.
Refer to the GNU tar project website and security mailing lists for the official advisory and further details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.