decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Decompress Library Hardlink Vulnerability Allows File Read Disclosure and Corruption |
Sun, 12 Jul 2026 07:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Decompress Library Hardlink Vulnerability Allows File Read Disclosure and Corruption |
Sat, 11 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Arbitrary Hardlink Creation during Archive Extraction | |
| Weaknesses | CWE-36 |
Fri, 10 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-59 | |
| Metrics |
cvssV3_1
|
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Arbitrary Hardlink Creation during Archive Extraction | |
| Weaknesses | CWE-36 |
Thu, 09 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Kevva
Kevva decompress |
|
| Vendors & Products |
Kevva
Kevva decompress |
Thu, 09 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories. | |
| References |
|
Status: PUBLISHED
Assigner: mitre
Published: 2026-07-09T00:00:00.000Z
Updated: 2026-07-10T15:25:09.237Z
Reserved: 2026-04-06T00:00:00.000Z
Link: CVE-2026-39243
Updated: 2026-07-10T15:21:10.760Z
No data.
No data.