CVE Catalog

CVE-2026-11940

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.60%

44th percentile — higher than 44% of all known CVEs

Summary

A vulnerability in tarfile.extractall() with the 'data' or 'tar' filter can be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name. The validation checks the symlink at its archived location but recreates it at the hardlink's shallower path, allowing escape from the destination directory.

Risk Assessment

An attacker can exploit this to read or write files outside the destination directory, potentially leading to data confidentiality breaches or unauthorized system modifications.

Recommendation

Immediately update the Python library to a version containing the fix for CVE-2026-11940. Until updated, avoid using extractall() with 'data' or 'tar' filters on untrusted archives.

Original NVD description (English source)

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS