Description
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1917565
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://savannah.gnu.org/bugs/?59897
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202105-29
Scores
CVSS v3
3.3
EPSS
0.0007
EPSS Percentile
21.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Details
CWE
CWE-125
CWE-401
Status
published
Products (1)
gnu/tar
< 1.33
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026