CVE Catalog

CVE-2026-4360

LowCVSS 2.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

The Tarfile.extract() function does not properly pass the filter parameter when extracting hardlinks. An affected system extracting content from untrusted tar files could write files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Risk Assessment

The organization may face data integrity violations or privilege escalation if an attacker supplies a malicious tar archive that exploits this flaw to write files with incorrect user/group identifiers.

Recommendation

Immediately update the Python tarfile library to a version that fixes the filter parameter handling for hardlinks. Until updated, avoid extracting untrusted tar archives.

Original NVD description (English source)

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS