Linux Distros Unpatched Vulnerability : CVE-2026-53655

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next head...

GHSA-VMF3-W455-68VH node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Summary tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extended header x describes the next file entry, not the...

CVE-2026-33055 tar-rs incorrectly ignores PAX size headers if header size is nonzero

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the...

CVE-2026-32766

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...

Linux Distros Unpatched Vulnerability : CVE-2026-32766

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when...

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

golang: archive/tar: Unbounded allocation when parsing GNU sparse map

A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go...

Fedora 41 : openapi-python-client / python-uv-build / ruff / etc (2025-43a0bff5ea)

The remote Fedora 41 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-43a0bff5ea advisory. uv 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md Since uv was built with astral-tokio-tar 0.5.6, this is a security fix for...

astral-tokio-tar Vulnerable to PAX Header Desynchronization

Summary Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser...

Medium: grub2

Issue Overview: A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of overwriting sensitive information to bypass secure boot protections is not...

CLSA-2020-1605798462 Fix of 227 CVE

Fix bug 69720: Null pointer dereference in phargetfpoffset - Fix bug 70728: Type Confusion Vulnerability in PHPtoXMLRPCworker - Fix bug 70661: Use After Free Vulnerability in WDDX Packet Deserialization - Fix bug 70741: Session WDDX Packet Deserialization Type Confusion Vulnerability - Fix bug...

MGASA-2016-0318 Updated libarchive packages fix security vulnerability

The updated packages fix several security vulnerabilities: A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with...

libarchive: Heap out of bounds read in TAR parser

A vulnerability was found in libarchive. A specially crafted TAR file could trigger an out-of-bounds read, potentially causing the application to disclose a small amount of application memory...

libarchive: Undefined behavior / invalid shiftleft in TAR parser

Undefined behavior invalid left shift was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read...

libarchive: Undefined behavior / invalid shiftleft in TAR parser

Undefined behavior invalid left shift was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read...

openSUSE Security Update : libarchive (openSUSE-2016-969)

libarchive was updated to fix 20 security issues. These security issues were fixed : - CVE-2015-8918: Overlapping memcpy in CAB parser bsc985698. - CVE-2015-8919: Heap out of bounds read in LHA/LZH parser bsc985697. - CVE-2015-8920: Stack out of bounds read in ar parser bsc985675. - CVE-2015-8921...

libarchive TAR parser heap out-of-bounds read vulnerability

libarchive is a multi-format archive and compression library. A security vulnerability exists in libarchive's TAR parser that can be exploited by an attacker to cause a heap out-of-bounds read...

libarchive TAR Parser Memory Disclosure Vulnerability

libarchive is a multi-format archive and compression library. A security vulnerability exists in libarchive's TAR parser that can be exploited by attackers to cause a memory leak...

libarchive TAR Parser Unauthorized Operation Vulnerability

libarchive is a multi-format archive and compression library. A security vulnerability exists in libarchive's TAR parser. An attacker can exploit this vulnerability to perform an undefined operation, resulting in an invalid left shift...

Internet Bug Bounty: Heap corruption in tar/zip/phar parser

https://bugs.php.net/bug.php?id=71354&edit=2...