A flaw in GNU tar 1.35 allows a crafted archive to show one set of contents during listing while extracting additional hidden files. The issue stems from a desynchronization between tar -t and tar -x: listing honors the size field for some non-data-bearing typeflags and skips data blocks, while extraction ignores that size and treats the same blocks as new headers. Researchers said the behavior affects symlink, character device, block device, and FIFO entries, but not directory entries, enabling hidden file injection with an archive reportedly smaller than 3 KB.
The bug was disclosed on the GNU bug-tar and oss-sec mailing lists, where Red Hat was reported to have assigned CVE-2026-5704. A patch from GNU tar maintainer Paul Eggert was published to the GNU tar mailing list and committed to the upstream repository. Follow-up discussion on oss-sec also noted maintainer skepticism about parts of the original report and broader concerns about low-quality, possibly LLM-generated vulnerability submissions, but the technical issue and upstream fix were separately referenced in the disclosure and source commit.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
In an April 12, 2026 reply on oss-sec, GNU tar maintainer Paul Eggert said the report was on his review list but described much of the underlying bug report as "AI slop," making it a low-priority item for him. The discussion reflected maintainer skepticism rather than confirmation of the vulnerability.
The disclosure and follow-up discussion said Paul Eggert provided a patch for the issue and that it was published on the GNU tar mailing list and in the tar git repository. A corresponding tar.git commit is included among the references.
A report describing a GNU tar listing/extraction desynchronization issue that could enable hidden file injection was posted to the bug-tar mailing list. Later disclosures explicitly referenced this earlier bug-tar report as the initial appearance of the issue.
An oss-sec discussion noted that Red Hat appeared to have assigned CVE-2026-5704 to the GNU tar listing/extraction desynchronization issue. The CVE reference was discussed in follow-up mailing list traffic rather than as a formal vendor announcement in the provided sources.
An oss-sec disclosure described a GNU tar 1.35 issue where `tar -t` and `tar -x` handle certain archive entries differently, allowing files to be extracted that were not shown during listing. The post said the flaw affected symlink, character device, block device, and FIFO entries and could be triggered with a crafted archive smaller than 3 KB.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
seclists.org
Open sourcecgit.git.savannah.gnu.org
Open sourcelists.gnu.org
Open sourcelists.gnu.org
Open sourcelists.gnu.org
Open sourcelists.gnu.org
Open sourceseclists.org
Open sourceseclists.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.