{"id":"CVE-2026-55738","summary":"Stack Buffer Overflow in rxi/microtar raw_to_header() via non-null-terminated TAR name field","details":"A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.","modified":"2026-07-08T08:09:47.233571271Z","published":"2026-06-17T13:45:00.399Z","database_specific":{"cwe_ids":["CWE-121","CWE-170"],"cna_assigner":"TuranSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55738.json"},"references":[{"type":"WEB","url":"https://github.com/rxi/microtar/blob/master/src/microtar.c#L111"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55738.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55738"},{"type":"PACKAGE","url":"https://github.com/rxi/microtar"},{"type":"ARTICLE","url":"https://raw.githubusercontent.com/rxi/microtar/master/src/microtar.c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rxi/microtar","events":[{"introduced":"956791770defa4d06696b30db276e88a09ad3538"},{"last_affected":"956791770defa4d06696b30db276e88a09ad3538"}],"database_specific":{"extracted_events":[{"introduced":"0.1.0"},{"last_affected":"0.1.0"}],"source":"AFFECTED_FIELD"}}],"versions":["0.1.0","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55738.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}