CVE-2026-5704
Hidden File Injection Vulnerability in tar via Malicious Archives
Publication date: 2026-04-06
Last updated on: 2026-04-22
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| redhat | hardened_images | * |
| gnu | tar | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5704 is a vulnerability in GNU tar that allows an attacker to inject hidden files into a system by crafting a malicious tar archive.
The issue arises because GNU tar permits malformed archives where certain non-data typeflagsβspecifically symlink (2), character device (3), block device (4), and FIFO (6)βcontain a non-zero size field.
This causes inconsistent behavior between the listing operation (tar -t) and extraction (tar -x): files associated with these malformed typeflags and non-zero sizes are not shown during listing but are created on disk during extraction.
As a result, an attacker can bypass pre-extraction inspection mechanisms and inject fully attacker-controlled hidden files onto the target system.
Exploitation requires only supplying a crafted tar archive to a system that performs pre-extraction inspection using tar -t or an equivalent API, followed by extraction using GNU tar.
No special privileges or user interaction beyond extraction are necessary, and the crafted archive can be very small (under 3 KB).
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to inject hidden malicious files onto your system without detection.
Because the malicious files are not visible during pre-extraction inspection, security mechanisms relying on such inspection can be bypassed.
This can lead to unauthorized modification or addition of files, potentially enabling further attacks, persistence, or compromise of system integrity.
The attack complexity is low and does not require special privileges, making it easier for attackers to exploit if they can supply crafted archives.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by comparing the output of the tar listing command with the actual files extracted from a tar archive. Specifically, the issue arises because malformed tar archives with certain non-data typeflags and non-zero size fields cause files to be hidden during listing but created during extraction.
A suggested approach is to use the command `tar -t` to list the contents of a tar archive and then extract it using `tar -x`. If files appear on disk after extraction that were not shown in the listing, this indicates the presence of the vulnerability.
Commands to detect this behavior include:
- `tar -t -f <archive.tar>` (to list archive contents)
- `tar -x -f <archive.tar>` (to extract archive contents)
If files appear after extraction that were not listed, the archive is exploiting the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no patch or fixed version available for this vulnerability.
Immediate mitigation steps include:
- Avoid extracting tar archives from untrusted or unauthenticated sources.
- Do not rely solely on `tar -t` or similar pre-extraction inspection mechanisms to verify archive contents.
- Implement additional validation or sandboxing when extracting tar archives to limit potential damage from hidden file injection.
- Monitor extracted files for unexpected or suspicious content after extraction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to inject hidden files with fully attacker-controlled content onto a system by bypassing pre-extraction inspection mechanisms. Such unauthorized file injection could lead to the introduction of malicious or unauthorized data, potentially compromising the integrity and security of sensitive information.
Given that standards and regulations like GDPR and HIPAA require strict controls over data integrity, confidentiality, and system security, this vulnerability could negatively impact compliance by enabling unauthorized data manipulation or introduction of malicious files without detection.