CVE-2026-50163 oras-go: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution in `oras-go` tar extraction
oras-go is a Go library for managing OCI artifacts. Prior to 2.6.2, ensureLinkPath in content/file/utils.go:262-275 validates a hardlink target relative to the extract base but returns the unresolved target, causing os.Link"victim.secret", "/payload.tar.gz/evilcwdlink" to resolve header.Linkname...