Tarfile.extract() Hardlink uid/gid Overwrite via Untrusted Archive

Executive Summary

CVE-2026-4360 is a vulnerability in Python's tarfile.extract() function where the filter parameter is not properly applied when extracting hardlinks from tar archives.

Specifically, if a hardlink's target is missing, instead of linking to the target, the file is extracted directly from the archive, bypassing the filter intended to control which files are extracted.

This flaw means that even if a user specifies a filter to restrict extraction, files could be written unexpectedly, potentially with incorrect user or group IDs.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Python's tarfile.extract() function could allow an attacker to bypass intended file permission restrictions when extracting files from untrusted tar archives. This may result in files being written with unexpected user IDs or group IDs, potentially leading to unauthorized access or modification of sensitive data.

Such unauthorized file writes and permission bypasses could impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data access and integrity. If sensitive personal or health data is extracted or modified without proper permissions, it could lead to violations of these regulations.

However, the vulnerability is classified as low severity and specifically affects scenarios where untrusted tar files are extracted without proper filtering. Applying the provided fix ensures that security filters are consistently enforced, helping maintain compliance with data protection requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Python tarfile module's extract() method not properly applying the filter parameter when extracting hardlinks, which could lead to files being written with unexpected uid/gid. Detection would involve monitoring or inspecting tar extraction operations, especially those involving untrusted tar files with hardlinks.

To detect exploitation attempts or presence of this vulnerability on your system, you can:

• Check for extraction of tar files that contain hardlinks from untrusted sources.
• Audit file ownership and permissions after tar extraction to identify unexpected uid/gid assignments.
• Use Python scripts to test the behavior of the tarfile.extract() method with filter parameters on sample tar files containing hardlinks.

Example command to inspect tar files for hardlinks:

• tar -tvf archive.tar | grep 'hard link'

Example Python snippet to test filter application during extraction:

• ```python import tarfile def filter_data(tarinfo): # Example filter that only allows regular files if tarinfo.isreg(): return tarinfo return None with tarfile.open('archive.tar') as tar: tar.extractall(filter=filter_data) ```

Monitoring logs for unexpected file ownership changes or unexpected file creations after tar extraction can also help detect exploitation.

Useful 0 Not Useful 0

Impact Analysis

If you extract content from untrusted tar files using Python's tarfile.extract() function, this vulnerability could cause files to be written with unexpected user IDs or group IDs.

This could lead to security issues such as unauthorized file creation or modification, potentially bypassing security controls or file filtering mechanisms.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update your Python installation to a version where the fix has been applied. The fix for CVE-2026-4360 has been backported and merged into multiple Python versions including 3.10 through 3.16.

The fix ensures that the filter parameter in the TarFile.extract() method is properly respected during extraction, preventing unintended file extraction or bypass of security controls.

Avoid extracting tar files from untrusted sources until the update is applied.

Useful 0 Not Useful 0