CVE-2026-43623

Published: Jun 1, 2026

Modified: Jun 2, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw_to_header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar_open(), mtar_find(), or mtar_read_header() process attacker-supplied TAR archives.

Vendor	Product	Versions
rxi	microtar	affected `0 - <= 0.1.0`

Weaknesses (CWE)

CWE-121

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/rxi/microtar/issues/28

technical-description

exploit

https://github.com/rxi/microtar/issues/29

issue-tracking

https://github.com/rxi/microtar/issues/30

issue-tracking

https://www.vulncheck.com/advisories/microtar-stack-based-buffer-overflow-via-raw-to-header

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-43623

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References