CVE-2026-55738
Received Received - Intake
Stack-Based Buffer Overflow in microtar

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-55738
EUVD
EUVD-2026-37712
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rxi microtar 0.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in the raw_to_header() function of the rxi microtar 0.1.0 library. The function uses strcpy() to copy fixed-width fields (name and linkname) from a TAR header without ensuring the source string is null-terminated. Because the POSIX ustar format allows these fields to be fully filled with non-null bytes, a specially crafted TAR archive can cause strcpy() to read beyond the intended 512-byte buffer and write past the destination buffer. This leads to an out-of-bounds read and stack buffer overflow.

A remote attacker can exploit this by supplying a malicious TAR archive that is opened or parsed by vulnerable functions (mtar_open(), mtar_read_header(), or mtar_find()), potentially causing a denial of service (crash) or even arbitrary code execution.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial of service through a crash when processing a malicious TAR archive. More seriously, it may allow the attacker to execute arbitrary code on your system, potentially leading to full system compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart