What is CVE-2026-32809?

CVE-2026-32809 is a high severity vulnerability (Improper Link Resolution (CWE-59)) affecting ouch. It was discovered by security researcher Kai Aizen (SnailSploit).

How severe is CVE-2026-32809?

CVE-2026-32809 is rated as High severity with a CVSS score of 7.4. Immediate patching is recommended.

What software is affected by CVE-2026-32809?

CVE-2026-32809 affects ouch in versions <= 0.6.1.

How do I fix CVE-2026-32809?

Check the official NVD entry or vendor advisory for CVE-2026-32809 for the latest patching information. Monitor for updates from the plugin developer.

CVE-2026-32809 | Symlink Resolution Bypass in ouch

Q: How do I fix CVE-2026-32809?

Check the official NVD entry or vendor advisory for CVE-2026-32809 for the latest patching information. Monitor for updates from the plugin developer.

Description

A symlink resolution vulnerability was discovered in ouch, a Rust-based compression and decompression tool. The create_symlink() function in src/utils/fs.rs accepts user-controlled symlink destinations from tar archives without any sanitization or validation.

While regular file extraction undergoes path validation via the tar-rs library, symlink targets bypass these checks entirely. No absolute path checks, traversal prevention, or containment verification are performed on symlink destinations.

Technical Details

Root Cause

The create_symlink() function trusts the symlink target path from the archive entry directly. Unlike regular files which undergo extraction path validation through tar-rs, symlinks are created with whatever target the archive specifies — including paths outside the extraction directory.

Affected Archive Formats

All tar-based formats handled by ouch are affected:

.tar, .tar.gz, .tar.bz2, .tar.xz
.tar.lz4, .tar.lzma, .tar.sz, .tar.zst

Attack Scenario

An attacker crafts a malicious tar archive containing symlinks pointing to sensitive files such as SSH keys (~/.ssh/id_rsa), AWS credentials (~/.aws/credentials), or system files (/etc/shadow). When a victim decompresses the archive using ouch, the symlinks are created, allowing the attacker to read arbitrary files through subsequent archive operations or file access.

Vulnerability Characteristics

Attack Vector: Network — malicious archive distribution
Attack Complexity: Low
Privileges Required: None
User Interaction: Required — victim must decompress the archive
Scope: Changed — symlinks can reach files outside the extraction context

Impact Assessment

Confidentiality: High — arbitrary file read via symlink resolution
Integrity: None
Availability: None

The changed scope and high confidentiality impact result in a CVSS 7.4 (High) rating. Credential theft and sensitive data exposure are the primary risks.

Disclosure Timeline

2026-03-15: Vulnerability reported via GitHub Private Vulnerability Reporting
2026-03-16: CVE-2026-32809 assigned (GHSA-pcw6-cg54-qvm8)

Remediation

No patched version is available yet. Avoid decompressing untrusted tar archives with ouch until a fix is released. Consider using alternative extraction tools that validate symlink targets.