Ghostwire

CVE-2026-50163: `oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution

HIGH CVSS 7.1 Exploit Available 2 PoC

Published: July 1, 2026 | Last Modified: July 1, 2026

Description

`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Proof-of-Concept Exploits (2)

References