Threat Advisory

async-tar Flaw Enables Tar Entry/Content Smuggling

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53600 with a CVSS score of 6.3 is a vulnerability affecting async-tar versions < 0.6.1 affecting async-tar versions **0 in the async-tar PAX extension-header desync, which enables tar entry/content smuggling by mis-applying a buffered PAX size to an intermediary GNU longname L header instead of to the next file entry, allowing an attacker to construct an x → L → file sequence whose entry list and on-disk result differ between async-tar and a reference parser, resulting in differential extraction / entry smuggling. An affected consumer that extracts an attacker-influenced tar stream with async-tar will materialize files / file contents that a POSIX-correct parser would not, potentially leading to the execution of malicious code or the exposure of sensitive data. The flaw is due to type confusion and improper validation of the specified quantity (size), which can be exploited via the environment template management API by an attacker who can influence a tar stream that an async-tar consumer extracts.

RECOMMENDATION:

We recommend you to update async-tar to version 0.6.1.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53600 with a CVSS score of 6.3 is a vulnerability affecting async-tar versions < 0.6.1 affecting async-tar versions **0 in the async-tar PAX extension-header desync, which enables tar entry/content smuggling by mis-applying a buffered PAX size to an intermediary GNU longname L header instead of to the next file entry, allowing an attacker to construct an x → L → file sequence whose entry list and on-disk result differ between async-tar and a reference parser, resulting in differential extraction / entry smuggling. An affected consumer that extracts an attacker-influenced tar stream with async-tar will materialize files / file contents that a POSIX-correct parser would not, potentially leading to the execution of malicious code or the exposure of sensitive data. The flaw is due to type confusion and improper validation of the specified quantity (size), which can be exploited via the environment template management API by an attacker who can influence a tar stream that an async-tar consumer extracts.

RECOMMENDATION:

We recommend you to update async-tar to version 0.6.1.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu