HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45390Published Modified CNA mitre

CVE-2026-45390: In OCaml-tar before 3

In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path-traversal vulnerability in the OCaml-tar library (versions before 3.4.0) allows a crafted tar archive containing '../' path segments to write files outside the intended extraction directory. The vulnerability is reachable over the network with no authentication required and no victim interaction needed, making any service that accepts and decompresses tar archives a direct target. Successful exploitation gives an attacker arbitrary file write access on the host filesystem, which can lead to code execution or data tampering. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the ocaml-tar library directly. Any image layer containing an affected version of ocaml-tar is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.1 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage tickets are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the ocaml-tar maintainers. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable tar-decompression endpoint over the network; any internet- or intranet-exposed service accepting tar archive uploads is in scope.

  • AuthenticationNot required

    No credentials or session token are needed; the CVSS vector specifies PR:N, meaning an unauthenticated attacker can submit a malicious archive.

  • Victim interactionNot required

    No user action is needed beyond the service's normal operation; the CVSS vector specifies UI:N, so exploitation is fully attacker-driven.

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and repeatable with no race conditions or special environmental prerequisites.

Blast Radius

  • The attacker writes arbitrary files to any path on the host filesystem that the process running ocaml-tar has write permission to.
  • Writes to executable locations (init scripts, cron jobs, application binaries) can lead to remote code execution on the host.
  • Writes to configuration or credential files can expose secrets, overwrite access-control rules, or alter application behavior persistently.
  • Confidential data already stored on the filesystem is at risk of being overwritten or corrupted, causing integrity loss across any data the process can reach.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-45390, HarborGuard continuously re-checks the ocaml-tar advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. In the interim, compensating controls are worth considering: network-policy rules that restrict which services are permitted to receive user-supplied tar archives, egress filtering on extraction workloads to limit blast radius if exploitation occurs, and feature-flag gating to disable tar-decompression endpoints that are not strictly required. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR-opening flow will fire without delay once a fix is available upstream. The Critical severity rating (CVSS 9.1) means this advisory is eligible for expedited triage routing under most HarborGuard compliance policy configurations.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References