CVE-2026-23950

Vulnerability

CVE-2026-23950

node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition

ecosystem: redhat:6, redhat:9, redhat:10

A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the `path-reservations` system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially crafted tar archive containing filenames that cause these collisions, bypassing internal concurrency safeguards. Successful exploitation can lead to arbitrary file overwrite.

References

secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2026-23950
secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2431036
secalert@redhat.com: https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
secalert@redhat.com: https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2026-23950
secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2026-23950

severityI

Important

type: vendor

source: secalert@redhat.com

CVSS3.1

8.8HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

AV	Network
AC	Low
PR	None
UI	Required
S	Changed
C	Low
I	High
A	Low

source: secalert@redhat.com

　CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

source: secalert@redhat.com

published: 2026-01-20 00:40:48

modified: 2026-02-27 00:11:51

Detection

redhat:10

CVE-2026-23950

redhat-vex

OR

unfixedAffected

sgx-common

package type: binary

type: version

unfixedAffected

sgx-libs

package type: binary

type: version

unfixedAffected

sgx-mpa

package type: binary

type: version

unfixedAffected

sgx-pckid-tool

package type: binary

type: version

unfixedAffected

tdx-qgs

package type: binary

type: version

tag: rhel-10:b80bcfb1-921f-0310-88a1-5d0eaf9eecb5

redhat:6

CVE-2026-23950

redhat-vex

OR

unfixedOut of support scope

tar

package type: source

type: version

tag: rhel-6-els:6cb17187-108d-81fc-8d19-3476bb2653a1

OR

unfixedOut of support scope

tar

package type: source

type: version

tag: rhel-6-extras-including-unpatched:6cb17187-108d-81fc-8d19-3476bb2653a1

OR

unfixedOut of support scope

tar

package type: source

type: version

tag: rhel-6-including-unpatched:6cb17187-108d-81fc-8d19-3476bb2653a1

OR

unfixedOut of support scope

tar

package type: source

type: version

tag: rhel-6-supplementary:6cb17187-108d-81fc-8d19-3476bb2653a1

redhat:9

CVE-2026-23950

redhat-vex

OR

unfixedAffected

sgx-common

package type: binary

type: version

unfixedAffected

sgx-libs

package type: binary

type: version

unfixedAffected

sgx-mpa

package type: binary

type: version

unfixedAffected

sgx-pckid-tool

package type: binary

type: version

unfixedAffected

tdx-qgs

package type: binary

type: version

tag: rhel-9-including-unpatched:3391f347-998d-8236-1771-5d3de3af53ff

Data Sources

RedHat Enterprise Linux CSAF VEX
redhat-vex