CVE-2026-44788
Path Traversal vulnerability in sharpcompress (NuGet)
What is CVE-2026-44788 About?
This vulnerability is a path traversal issue in `IArchive.WriteToDirectory()` that allows malicious archives to create directories outside the intended extraction root. This can lead to arbitrary directory creation for ZIP files and, for TAR archives, can be escalated to arbitrary file writes, posing a significant risk to system integrity. The exploitation is relatively easy as it leverages common archive extraction functionalities without proper checks.
Affected Software
Technical Details
The vulnerability resides in the WriteToDirectoryInternal and WriteToDirectoryAsyncInternal functions, specifically within IArchiveExtensions.cs and IAsyncArchiveExtensions.cs, where Directory.CreateDirectory is called without prior Path.GetFullPath() normalization or bounds checks. .NET's Path.Combine behavior contributes to the exploitability through 'Relative traversal' (e.g., ../../evil) and 'Absolute path override' (e.g., /tmp/evil), allowing paths to escape the intended extraction root. While file entries are protected by a guard using GetFullPath, directory entries are processed via a fast-path that lacks this crucial validation. For TAR archives, an escalation to arbitrary file writes is possible by chaining a symlink entry (e.g., link -> ../evil_outside/) with a subsequent file entry (e.g., link/secret.txt), where the OS follows the symlink to write to an attacker-controlled location outside the extraction root, especially if a SymbolicLinkHandler is used without proper linkTarget validation.
What is the Impact of CVE-2026-44788?
Successful exploitation may allow attackers to create arbitrary directories on the filesystem, potentially leading to privilege escalation or alteration of application behavior. In the case of TAR archives, attackers may achieve arbitrary file writes, enabling them to completely compromise the system subject to the permissions of the running process.
What is the Exploitability of CVE-2026-44788?
Exploitation of this vulnerability is of moderate complexity, primarily requiring the creation of a specially crafted malicious archive (ZIP or TAR). No authentication is required, as the attack occurs during the extraction of an archive. Privilege requirements align with the permissions of the process operating on the archive, meaning if the affected application runs with elevated privileges, the impact will be more severe. The exploit mechanism is remote, as the malicious archive can be delivered through any vector that allows file upload or processing. Special conditions include the use of TAR archives with a SymbolicLinkHandler for arbitrary file write escalation. The risk is heightened in scenarios where applications routinely unpack untrusted archives, such as file upload services or automated processing systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44788?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-44788?
Similar Vulnerabilities: CVE-2021-4134 , CVE-2022-2977 , CVE-2023-34048 , CVE-2023-41276 , CVE-2023-43644
