Executive Summary

CVE-2026-43623 is a stack-based buffer overflow vulnerability in the microtar library version 0.1.0 and earlier. It occurs in the raw_to_header() function within src/microtar.c, where the function uses strcpy() to copy 100-byte fixed-width name and linkname fields from a raw TAR archive header. These fields may not be null-terminated in malformed TAR files, causing strcpy() to read beyond the intended buffer and write up to 355 bytes into a 100-byte destination buffer on the stack. This overflow corrupts adjacent stack memory and can lead to crashes or potentially arbitrary code execution.

The vulnerability arises because the TAR format's name and linkname fields are fixed-size arrays that may be fully populated without a null terminator, and strcpy() does not perform bounds checking. This allows crafted TAR archives with non-null-terminated fields to trigger the overflow when processed by functions like mtar_open(), mtar_find(), or mtar_read_header().

The issue was discovered through fuzzing and is confirmed by proof-of-concept exploits that demonstrate stack corruption and potential control over execution flow. The recommended fix is to replace strcpy() with bounded memcpy() operations and explicitly null-terminate the copied strings.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including the corruption of adjacent stack memory, which may lead to application crashes or denial-of-service conditions.

More critically, the stack buffer overflow can allow attackers to overwrite return addresses or other control data on the stack, potentially enabling arbitrary code execution when processing malicious TAR archives.

Additionally, there is a related integer overflow vulnerability in the mtar_next() function that can cause an infinite loop and denial-of-service.

Overall, exploitation of this vulnerability could compromise the security and stability of applications using the affected microtar library, leading to unauthorized code execution or service disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by analyzing TAR archives processed by microtar for malformed name or linkname fields that are not null-terminated and fully populated with non-null characters. A proof-of-concept crafted TAR file with 100-byte non-null-terminated name or linkname fields can trigger the overflow and cause a crash.

Detection can involve monitoring for crashes or abnormal termination signals (such as SIGABRT) in applications using microtar when processing TAR files, which may indicate exploitation attempts.

While no specific detection commands are provided, fuzzing tools like AFL (American Fuzzy Lop) were used to discover this vulnerability by mutating TAR file inputs.

To manually test, you can attempt to extract or open suspicious TAR archives with microtar-based tools and observe for crashes or errors.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves avoiding the use of vulnerable microtar versions (0.1.0 and earlier) when processing untrusted TAR archives.

If updating is possible, apply patches that replace unsafe strcpy() calls with bounded memcpy() operations and explicitly null-terminate the copied strings after 99 bytes to prevent buffer overflows.

As a temporary measure, do not process TAR files from untrusted or unknown sources using the vulnerable microtar library.

Monitor for updates or advisories from the microtar project or your software vendor addressing this vulnerability.

Useful 0 Not Useful 0