How is CVE-2026-54417 exploited?

Network reachability (required): The attacker delivers a crafted tar archive over the network to any service that processes tar input with the affected library, so the service must be reachable remotely. Authentication (not-required): No credentials or account are needed; the exploit is reachable by any unauthenticated party that can send input to the affected service. Victim interaction (not-required): No user action is required; the overflow triggers automatically when the application processes the malicious archive. Attack complexity (info): Exploitation is reliable and condition-free: crafting a header size value in the documented overflow range is straightforward arithmetic with no race condition or environmental dependency.

What is the impact of CVE-2026-54417?

The affected process enters an infinite loop consuming 100% of an available CPU core with no built-in recovery path. Any request handling, background job, or pipeline stage that depends on the hung process is blocked for the duration of the loop. If the process runs without a watchdog or container restart policy, the denial of service persists until the process is manually killed or the host is rebooted.

Back to search

HIGHCVE-2026-54417Published 2026-06-17Modified 2026-06-17CNA TuranSec

CVE-2026-54417: Integer Overflow in rxi/microtar mtar_next() Causes Infinite Loop DoS

An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow in the mtar_next() function of rxi microtar 0.1.0 allows a remote attacker to trigger an infinite loop by sending a crafted tar archive over the network, requiring no authentication. Successful exploitation locks the affected process at 100% CPU indefinitely, causing a denial of service with no self-recovery. HarborGuard is tracking this advisory for patch availability, as no fix version has been published by the upstream maintainer.

HarborGuard Coverage

Detection

Detection for CVE-2026-54417 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle rxi microtar 0.1.0.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.7 HIGH (CVSS v4.0) and weighting that score against each environment's compliance policy to produce a prioritized finding routed to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version exists for CVE-2026-54417, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a corrected release. In the interim, compensating controls are surfaced in the finding detail for manual review.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers a crafted tar archive over the network to any service that processes tar input with the affected library, so the service must be reachable remotely.
AuthenticationNot required
No credentials or account are needed; the exploit is reachable by any unauthenticated party that can send input to the affected service.
Victim interactionNot required
No user action is required; the overflow triggers automatically when the application processes the malicious archive.
Attack complexityDetail
Exploitation is reliable and condition-free: crafting a header size value in the documented overflow range is straightforward arithmetic with no race condition or environmental dependency.

Blast Radius

The affected process enters an infinite loop consuming 100% of an available CPU core with no built-in recovery path.
Any request handling, background job, or pipeline stage that depends on the hung process is blocked for the duration of the loop.
If the process runs without a watchdog or container restart policy, the denial of service persists until the process is manually killed or the host is rebooted.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists, the platform monitors the rxi microtar advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected version is published. While the vulnerability is unpatched, the finding detail includes compensating-control guidance: isolate services that process externally-supplied tar archives behind a network policy that restricts inbound sources; apply egress filtering to limit lateral movement from a hung process; and consider a feature-flag or application-layer check to reject archives with header size fields in the unsafe range (0xFFFFFC01 to 0xFFFFFE00) before passing input to microtar. For customers with auto-remediation enabled, a rebuilt image and regression run will be initiated and a PR opened against affected workloads as soon as an upstream fix version is available.

See how HarborGuard automates this

Affected packages

rxi / microtar
0.1.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified