CVE-2026-4360
LowCVSS 2.0Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
The Tarfile.extract() function does not properly pass the filter parameter when extracting hardlinks. An affected system extracting content from untrusted tar files could write files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.
Risk Assessment
The organization may face data integrity violations or privilege escalation if an attacker supplies a malicious tar archive that exploits this flaw to write files with incorrect user/group identifiers.
Recommendation
Immediately update the Python tarfile library to a version that fixes the filter parameter handling for hardlinks. Until updated, avoid extracting untrusted tar archives.
Original NVD description (English source)
In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

