CVE-2026-24842

high Red Hat
CVSS v3 Base Score
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 96% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
Low
Availability
None
Published: January 28, 2026 (107 days ago)
Last Modified: January 28, 2026
Vendor: Red Hat
Fix Available: ✓ Yes

Description

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

CWE

CWE-59

Affected Products

Cryostat 4Logging Subsystem for Red Hat OpenShiftMulticluster Engine for KubernetesRed Hat 3scale API Management Platform 2Red Hat Advanced Cluster Management for Kubernetes 2Red Hat AMQ Broker 7Red Hat build of Apache Camel - HawtIO 4Red Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com