Back

Multiple CVEs Discovered in tar Affecting Ubuntu and Mageia Systems

Severity: High (Score: 60.6)

Sources: Ubuntu, Linuxsecurity

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: files, attacker, usn-8367-1, mageia, discovered, tar-fs, properly

Summary

Multiple vulnerabilities were identified in the tar utility, affecting Ubuntu 22.04 LTS and 24.04 LTS, as well as Mageia systems. These vulnerabilities allow attackers to craft malicious tar files that can lead to file overwriting or hidden file injection, bypassing pre-extraction inspection mechanisms. The vulnerabilities are tracked under CVE-2024-12905, CVE-2025-48387, and CVE-2025-59343 for Ubuntu, and CVE-2026-5704 for Mageia. The issues could allow remote attackers to write files outside the intended extraction directory or inject malicious content undetected. The vulnerabilities have been addressed in security updates released on June 2, 2026. Security professionals are urged to apply the patches immediately to mitigate potential exploitation. Key Points: • Multiple vulnerabilities in tar affect Ubuntu and Mageia systems. • Attackers can exploit these flaws to overwrite files or inject hidden malicious files. • Patches for the vulnerabilities were released on June 2, 2026.

Detailed Analysis

**Impact** Ubuntu 22.04 LTS and 24.04 LTS systems, as well as Mageia Linux installations, are affected by multiple vulnerabilities in the tar utility. These flaws allow attackers to write or overwrite files outside intended extraction directories, potentially leading to unauthorized file creation or modification. The vulnerabilities pose risks to any sector relying on these Linux distributions, with no geographic limitations specified. The Mageia flaw specifically enables hidden file injection, increasing the risk of undetected compromise. **Technical Details** The attack vector involves crafting malicious tar archives that exploit path traversal and symlink validation bypasses (CVE-2024-12905, CVE-2025-48387, CVE-2025-59343) in Ubuntu tar-fs, and hidden file injection (CVE-2026-5704) in Mageia tar. These vulnerabilities enable attackers to bypass extraction path validation and pre-extraction inspection mechanisms, facilitating unauthorized file writes during archive extraction. No specific malware, tools, or IOCs are provided in the articles. **Recommended Response** Apply the latest security updates for tar packages on Ubuntu 22.04 LTS, 24.04 LTS, and Mageia systems immediately to remediate the vulnerabilities. Monitor extraction activities for anomalous file writes outside expected directories and implement file integrity monitoring to detect unauthorized changes. Harden extraction environments by restricting user permissions and validating archive contents before extraction where possible. No additional detection signatures or IOCs are currently available.

Source articles (2)

  • Mageia 2026-0168: tar — Linuxsecurity · 2026-06-02
    Description: A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This…
  • USN-8367-1: tar — Ubuntu · 2026-06-02
    It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this issue to write or overwrite files outside the intended extraction dire…

Timeline

  • 2025-03-27 — CVE-2024-12905 published: A vulnerability in tar-fs allows file overwriting outside the intended directory.
  • 2025-06-02 — CVE-2025-48387 published: Another tar-fs vulnerability allows improper validation of extraction paths.
  • 2025-09-24 — CVE-2025-59343 published: A symlink validation bypass vulnerability in tar-fs is disclosed.
  • 2026-06-02 — CVE-2026-5704 published: Mageia issues a security advisory for a flaw in tar allowing hidden file injection.
  • 2026-06-02 — Patches released for tar vulnerabilities: Security updates addressing the vulnerabilities in tar were released for affected systems.

CVEs

  • CVE-2024-12905
  • CVE-2025-48387
  • CVE-2025-59343
  • CVE-2026-5704

Related entities

  • Zero-day Exploit (Attack Type)
  • Mageia (Platform)
  • Linux (Platform)
  • CWE-22 - Path Traversal (Cwe)
  • advisories.mageia.org (Domain)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed