HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-43623Published Modified CNA VulnCheck

CVE-2026-43623: microtar 0.1.0 Stack-Based Buffer Overflow via raw_to_header()

microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw_to_header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar_open(), mtar_find(), or mtar_read_header() process attacker-supplied TAR archives.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in microtar 0.1.0, specifically in the raw_to_header() function in src/microtar.c. The flaw is reachable over the network and requires no authentication, but does require a victim to open or process a crafted TAR archive; an attacker supplies a malicious archive with non-null-terminated name or linkname fields, causing strcpy() to write up to 355 bytes into a 100-byte stack buffer. Successful exploitation gives the attacker full control over adjacent stack memory, enabling arbitrary code execution, data disclosure, or a service crash. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-43623 is ingested from upstream vulnerability feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that vendor or bundle microtar. Images at any version at or below 0.1.0 are flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and weights it against each customer environment's compliance policy to prioritize routing. Findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for microtar, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for workloads that process user-supplied TAR archives or flagging the image for manual review.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver a crafted TAR archive to the target over the network, requiring the vulnerable service to be reachable remotely.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only needs to supply a malicious TAR file to the processing endpoint.

  • Victim interactionRequired

    A user or automated process must open, scan, or otherwise process the attacker-supplied TAR archive via mtar_open(), mtar_find(), or mtar_read_header().

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions or special memory-layout prerequisites are required to trigger the overflow.

Blast Radius

  • Reads arbitrary memory from the stack of the processing application, potentially exposing in-memory secrets, session tokens, or cryptographic material.
  • Overwrites adjacent stack frames with attacker-controlled bytes, enabling arbitrary code execution in the context of the process handling the TAR archive.
  • Corrupts stack canaries or return addresses in a way that crashes the affected service, causing a denial of service for any workload relying on microtar for archive processing.
  • Compromises both the confidentiality and integrity of data handled by the affected process, including file paths, metadata, and any content extracted from TAR archives.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for microtar at this time, HarborGuard continuously re-checks the upstream advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a remediated release is published. While awaiting an upstream patch, customers can use HarborGuard's policy engine to apply compensating controls: isolating workloads that process user-supplied TAR archives behind strict network policies, blocking ingress of untrusted archive files at the egress-filtering layer, and marking affected images as requiring explicit sign-off before deployment to production. For environments with auto-remediation enabled, the typical flow from CVE publication to a merged patch PR for high-severity issues runs around 90 minutes once a fix version becomes available upstream.

See how HarborGuard automates this
Affected packages
  • rxi / microtar
    ≤ 0.1.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References