Intel

AIKIDO-2026-568044

tar is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-gvwx-54wh-qm9j Published Jun 29, 2026

53

Medium Risk

This Affects:

JStar
0.0.1 - 7.5.16
Fixed in 7.5.17
Are you affected? Scan for Free

TL;DR

tar strips trailing NUL bytes from GNU long-name and long-linkpath extended headers but does not apply the same sanitization to the path and linkpath values parsed from PAX extended headers. A crafted PAX record that embeds a NUL byte in a path or linkpath is parsed verbatim into the entry path and reaches the underlying filesystem calls, which reject the NUL byte and throw an error outside the caller's await and try-catch boundary. Extracting an untrusted archive therefore raises an uncaught exception that terminates the process, and the same parsing gap creates a parser differential that lets a NUL-bearing path bypass validators that pre-scan archives with other tar tools. The fix strips everything from the first NUL byte onward when parsing PAX key/value records.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application extracts or parses untrusted tar archives.

Background info

tar is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 7.5.16.

How to fix this

Upgrade the tar library to the patch version.