CVE-2026-39243
Undergoing Analysis Undergoing Analysis - In Progress

Hardlink Arbitrary File Read in Decompress

Vulnerability report for CVE-2026-39243, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: MITRE

Description

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kevva decompress to 4.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade decompress to version 4.2.2 or later, where the issue with arbitrary hardlink creation during archive extraction is fixed.

Avoid extracting archives from untrusted sources until the update is applied, as crafted archives can create hardlinks that allow reading or overwriting files on the same filesystem.

Executive Summary

The vulnerability exists in decompress versions before 4.2.2, where arbitrary hardlink creation is possible during archive extraction.

When processing hardlink entries, the x.linkname field from the archive is passed directly to the filesystem link function without validation.

An attacker can craft an archive containing a hardlink entry whose linkname is an absolute path to any file on the same filesystem.

This results in the creation of a hardlink inside the extraction directory that shares the same inode as the target file, allowing reading and overwriting of the original file's content.

Hardlinks are limited to files on the same filesystem and cannot target directories.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of file contents and file corruption.

An attacker can read sensitive files by creating hardlinks to them during archive extraction.

Additionally, the attacker can overwrite important files, potentially causing data loss or system instability.

Compliance Impact

The vulnerability allows an attacker to create hardlinks to arbitrary files on the same filesystem during archive extraction, enabling unauthorized reading and overwriting of sensitive files.

This can lead to disclosure of sensitive information such as secrets or private keys, which may include personal data protected under regulations like GDPR or sensitive health information under HIPAA.

Such unauthorized access and potential data corruption could result in non-compliance with these standards, as they require protection of data confidentiality and integrity.

Therefore, exploiting this vulnerability could cause violations of data protection requirements mandated by common standards and regulations.

Detection Guidance

This vulnerability involves arbitrary hardlink creation during archive extraction using the decompress package (versions <= 4.2.1). Detection involves identifying if archives being extracted contain hardlink entries with absolute paths that point outside the extraction directory.

To detect exploitation attempts or presence of malicious archives, you can inspect tar or other archive files for hardlink entries with absolute paths.

  • Use tar command to list hardlink entries and their link targets: tar -tvf archive.tar | grep 'link'
  • Check for hardlink entries with absolute paths (paths starting with '/') in the archive listing.
  • After extraction, use find to identify hardlinks in the extraction directory: find /path/to/extract -type f -links +1 -exec ls -li {} +

Monitoring file system activity for creation of hardlinks pointing outside expected directories may also help detect exploitation.

Since the vulnerability is in decompress package versions <= 4.2.1, verifying the version of decompress used in your environment is critical.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart