{"uuid": "3fd610fc-abf0-4982-baf0-7bf9c13c7195", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-45491", "type": "seen", "source": "https://gist.github.com/alon710/6783c7f2ed7c6e138aaba0f21814c8e7", "content": "# CVE-2026-45491: CVE-2026-45491: Directory Traversal via Improper Link Resolution in .NET System.Formats.Tar\n\n> **CVSS Score:** 6.2\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/CVE-2026-45491\n\n## Summary\nA directory traversal vulnerability exists in the Microsoft .NET System.Formats.Tar library during archive extraction. When extracting a TAR archive using the TarFile.ExtractToDirectory API, the extraction engine improperly resolves symbolic links prior to file creation, allowing local unauthorized attackers to write or overwrite arbitrary files outside the target directory. This can lead to local tampering, privilege escalation, or arbitrary code execution.\n\n## TL;DR\nSystem.Formats.Tar in .NET 8.0, 9.0, and 10.0 fails to validate symbolic link targets during extraction, enabling local directory traversal and arbitrary file writes (Tar Slip).\n\n## Technical Details\n\n- **CWE ID**: CWE-59\n- **Attack Vector**: Local\n- **CVSS Base Score**: 6.2\n- **EPSS Score**: 0.00301 (21.55 percentile)\n- **Impact**: High Integrity Tampering / Privilege Escalation\n- **Exploit Status**: No public weaponized exploit code available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- .NET Core and .NET runtimes on Linux (Ubuntu, RHEL, Rocky, Alma, Amazon Linux, Alpine, Oracle Linux)\n- .NET Core and .NET runtimes on Windows\n- ASP.NET Core applications incorporating archive upload or processing components\n- **.NET 8.0**: >= 8.0.0 to < 8.0.28 (Fixed in: `8.0.28`)\n- **.NET 9.0**: >= 9.0.0 to < 9.0.17 (Fixed in: `9.0.17`)\n- **.NET 10.0**: >= 10.0.0 to < 10.0.9 (Fixed in: `10.0.9`)\n\n## Mitigation\n\n- Upgrade .NET Core and .NET Runtimes to patched versions (8.0.28, 9.0.17, 10.0.9).\n- Sanitize and resolve archive path boundaries manually before calling extraction APIs if upgrading is not immediately possible.\n- Implement strict system privilege boundaries so .NET processes run with the least necessary privileges.\n\n**Remediation Steps:**\n1. Locate all installations of the .NET SDK and Runtime across development environments and production servers.\n2. Apply June 2026 security updates using system package managers or by rebuilding container images with official updated base images.\n3. Scan existing codebases for calls to System.Formats.Tar.TarFile.ExtractToDirectory and ensure they only ingest trusted archives.\n4. Configure File Integrity Monitoring (FIM) to monitor sensitive directories for unexpected write activity.\n\n## References\n\n- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45491)\n- [CVE Authority Record](https://www.cve.org/CVERecord?id=CVE-2026-45491)\n- [Wiz Security Vulnerability DB Record](https://www.wiz.io/vulnerability-database/cve/cve-2026-45491)\n- [Official .NET Runtime Repository](https://github.com/dotnet/runtime)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-45491) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T15:31:48.000000Z"}