Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different...

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition

A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the path-reservations system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially...

About the security content of tvOS 26.5

About the security content of tvOS 26.5 This document describes the security content of tvOS 26.5. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available...

OESA-2026-1939 sleuthkit security update

The Sleuth Kit previously known as TASK is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, EXT3FS and ExFAT file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can...

OESA-2026-1937 sleuthkit security update

The Sleuth Kit previously known as TASK is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, EXT3FS and ExFAT file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can...

OESA-2026-1936 sleuthkit security update

The Sleuth Kit previously known as TASK is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, EXT3FS and ExFAT file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tar-6.2.1.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in tar-6.2.1.tgz Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path...

CVE-2026-40025

A flaw was found in The Sleuth Kit. An attacker can exploit this vulnerability by crafting a malicious Apple File System APFS disk image. This flaw allows for an out-of-bounds read in the APFS filesystem keybag parser, specifically within the wrappedkeyparser class, due to a lack of bounds checki...

CVE-2026-40025

The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrappedkeyparser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS...

CVE-2026-40025

The vulnerability CVE-2026-40025 affects Sleuth Kit up to version 4.14.0, in the APFS filesystem keybag parser. The root cause is an out-of-bounds read: the wrapped_key_parser uses attacker-controlled length fields without bounds checking, enabling heap reads past the allocated buffer. A crafted ...

PT-2026-31462

The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped key parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APF...

Important: nodejs20

Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...

Important: nodejs24

Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...

GHSA-R6Q2-HW4H-H46W Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS

TITLE: Race Condition in node-tar Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS AUTHOR: Tomás Illuminati Details A race condition vulnerability exists in node-tar v7.5.3 this is to an incomplete handling of Unicode path collisions in the path-reservations system. On...

Improper Handling of Unicode Encoding

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS. An attacker can overwrite arbitrary files by exploiting Unicode...

Improper Handling of Unicode Encoding

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS. An attacker can overwrite arbitrary files by exploiting Unicode normalization collisions ...

CVE-2026-23950 node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

CVE-2026-23950

Summary of CVE-2026-23950 (node-tar) : A race condition in node-tar’s path-reservations on macOS APFS/HFS+ enables parallel processing of conflicting Unicode paths (e.g., “ß” vs “ss”), bypassing internal locks and allowing an Arbitrary File Overwrite . Affected are node-tar versions up to 7.5.3; ...

CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

CVE-2026-23950 node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...