{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu18.04els/vex/2026/cve-2026-29786-els_os-ubuntu18_04els.json" } ], "tracking": { "current_release_date": "2026-03-19T14:23:47Z", "generator": { "date": "2026-03-19T14:23:47Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-29786-ELS_OS-UBUNTU18.04ELS", "initial_release_date": "2026-03-07T16:15:00Z", "revision_history": [ { "date": "2026-03-07T16:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-03-18T11:30:27Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-03-19T14:23:47Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2026-29786" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 18.04", "product": { "name": "Ubuntu 18.04", "product_id": "Ubuntu-18", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "tar-scripts-0:1.29b-2ubuntu0.4.amd64", "product": { "name": "tar-scripts-0:1.29b-2ubuntu0.4.amd64", "product_id": "tar-scripts-0:1.29b-2ubuntu0.4.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/tar-scripts@1.29b-2ubuntu0.4?arch=amd64" } } }, { "category": "product_version", "name": "tar-0:1.29b-2ubuntu0.4.amd64", "product": { "name": "tar-0:1.29b-2ubuntu0.4.amd64", "product_id": "tar-0:1.29b-2ubuntu0.4.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/tar@1.29b-2ubuntu0.4?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product": { "name": "tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product_id": "tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tar-scripts@1.29b-2ubuntu0.4%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product": { "name": "tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product_id": "tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tar@1.29b-2ubuntu0.4%2Btuxcare.els1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64" }, "product_reference": "tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64" }, "product_reference": "tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tar-scripts-0:1.29b-2ubuntu0.4.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4.amd64" }, "product_reference": "tar-scripts-0:1.29b-2ubuntu0.4.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tar-0:1.29b-2ubuntu0.4.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tar-0:1.29b-2ubuntu0.4.amd64" }, "product_reference": "tar-0:1.29b-2ubuntu0.4.amd64", "relates_to_product_reference": "Ubuntu-18" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-29786", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-18:tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-0:1.29b-2ubuntu0.4.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-29786" }, { "category": "external", "summary": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", "url": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f" }, { "category": "external", "summary": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96" } ], "release_date": "2026-03-07T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Exploitation requires a user or build task to extract an attacker‑crafted archive with node‑tar, and the bypass hinges on Windows drive‑letter semantics (e.g., C:..), which do not apply on Linux/Unix; it also depends on creating a hardlink to an existing file on the same NTFS volume, further narrowing practical reach. Given the local attack vector, required user interaction, and impact limited to integrity (no confidentiality or availability effect), this can be safely deprioritized unless Windows hosts are routinely extracting untrusted tarballs with vulnerable node‑tar versions.", "product_ids": [ "Ubuntu-18:tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-0:1.29b-2ubuntu0.4.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4.amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Ubuntu-18:tar-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-0:1.29b-2ubuntu0.4.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4+tuxcare.els1.amd64", "Ubuntu-18:tar-scripts-0:1.29b-2ubuntu0.4.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }