HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-55738Published Modified CNA TuranSec

CVE-2026-55738: Stack Buffer Overflow in rxi/microtar raw_to_header() via non-null-terminated TAR name field

A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects rxi microtar version 0.1.0 in the raw_to_header() function, reachable over the network when a victim opens or parses a crafted TAR archive. The function uses strcpy() on fixed-width TAR header fields that the POSIX ustar format permits to contain no null terminator, allowing reads and writes past the boundaries of a 512-byte stack buffer. Successful exploitation causes a crash and enables arbitrary code execution. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-55738 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle microtar 0.1.0 as a dependency.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published for microtar 0.1.0, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, compensating controls are available through HarborGuard's policy engine, including network-policy isolation for workloads that parse user-supplied TAR archives and egress filtering to reduce attacker-controlled input surfaces.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted TAR archive over the network, so the affected service or application must be reachable remotely.

  • AuthenticationNot required

    No credentials are needed; the attacker only needs to supply a malformed archive to an endpoint that processes it.

  • Victim interactionRequired

    A user or automated process must open or parse the crafted archive through mtar_open(), mtar_read_header(), or mtar_find() for the overflow to trigger.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout dependencies beyond delivering the malformed archive.

Blast Radius

  • An attacker can crash the process parsing the archive, taking down any service or pipeline step that depends on it.
  • The out-of-bounds strcpy() write corrupts adjacent stack memory, giving an attacker a primitive to overwrite return addresses or function pointers for arbitrary code execution.
  • With code execution on a container host, an attacker reads sensitive data in process memory, including credentials, session tokens, or decrypted secrets loaded at runtime.
  • An attacker can modify in-memory state or persisted data handled by the affected process before or after the overflow.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-55738 exists at this time, the platform monitors the rxi microtar advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, HarborGuard's policy engine can apply compensating controls: network-policy isolation scoped to workloads that accept user-supplied TAR archives, egress filtering to limit attacker-controlled input paths, and feature-flag or admission-policy gating to block deployment of images carrying the affected microtar version into production. Customers are encouraged to review which internal images include microtar 0.1.0 as a direct or transitive dependency using HarborGuard's dependency-graph view, and to prioritize those images for rapid rebuild once an upstream fix is available.

See how HarborGuard automates this
Affected packages
  • rxi / microtar
    0.1.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References