Executive Summary

CVE-2026-5704 is a vulnerability in GNU tar that allows an attacker to inject hidden files into a system by crafting a malicious tar archive.

The issue arises because GNU tar permits malformed archives where certain non-data typeflags—specifically symlink (2), character device (3), block device (4), and FIFO (6)—contain a non-zero size field.

This causes inconsistent behavior between the listing operation (tar -t) and extraction (tar -x): files associated with these malformed typeflags and non-zero sizes are not shown during listing but are created on disk during extraction.

As a result, an attacker can bypass pre-extraction inspection mechanisms and inject fully attacker-controlled hidden files onto the target system.

Exploitation requires only supplying a crafted tar archive to a system that performs pre-extraction inspection using tar -t or an equivalent API, followed by extraction using GNU tar.

No special privileges or user interaction beyond extraction are necessary, and the crafted archive can be very small (under 3 KB).

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to inject hidden files with fully attacker-controlled content onto a system by bypassing pre-extraction inspection mechanisms. Such unauthorized file injection could lead to the introduction of malicious or unauthorized data, potentially compromising the integrity and security of sensitive information.

Given that standards and regulations like GDPR and HIPAA require strict controls over data integrity, confidentiality, and system security, this vulnerability could negatively impact compliance by enabling unauthorized data manipulation or introduction of malicious files without detection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject hidden malicious files onto your system without detection.

Because the malicious files are not visible during pre-extraction inspection, security mechanisms relying on such inspection can be bypassed.

This can lead to unauthorized modification or addition of files, potentially enabling further attacks, persistence, or compromise of system integrity.

The attack complexity is low and does not require special privileges, making it easier for attackers to exploit if they can supply crafted archives.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by comparing the output of the tar listing command with the actual files extracted from a tar archive. Specifically, the issue arises because malformed tar archives with certain non-data typeflags and non-zero size fields cause files to be hidden during listing but created during extraction.

A suggested approach is to use the command `tar -t` to list the contents of a tar archive and then extract it using `tar -x`. If files appear on disk after extraction that were not shown in the listing, this indicates the presence of the vulnerability.

Commands to detect this behavior include:

• `tar -t -f <archive.tar>` (to list archive contents)
• `tar -x -f <archive.tar>` (to extract archive contents)

If files appear after extraction that were not listed, the archive is exploiting the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there is no patch or fixed version available for this vulnerability.

Immediate mitigation steps include:

• Avoid extracting tar archives from untrusted or unauthenticated sources.
• Do not rely solely on `tar -t` or similar pre-extraction inspection mechanisms to verify archive contents.
• Implement additional validation or sandboxing when extracting tar archives to limit potential damage from hidden file injection.
• Monitor extracted files for unexpected or suspicious content after extraction.

Useful 0 Not Useful 0