CVE-2026-32809 | SnailSploit

Q: How do I fix CVE-2026-32809?

Upgrade ouch to the version that includes the upstream fix. If an immediate upgrade is not possible, apply the vendor mitigation guidance.

Q: What is the impact of CVE-2026-32809?

CVSS — Pending. The vulnerability class is Symlink Resolution Bypass.

Q: Where can I find authoritative references?

NVD record, MITRE CVE record, and the vendor security advisory.

TL;DR

A symlink resolution vulnerability was discovered inouch, a Rust-based compression and decompression tool. Thecreate_symlink()function insrc/utils/fs.rsaccepts user-controlled symlink destinations from tar archives without any sanitization or validation.

CVE Disclosures →

Description

A symlink resolution vulnerability was discovered in ouch, a Rust-based compression and decompression tool. The create_symlink() function in src/utils/fs.rs accepts user-controlled symlink destinations from tar archives without any sanitization or validation.

While regular file extraction undergoes path validation via the tar-rs library, symlink targets bypass these checks entirely. No absolute path checks, traversal prevention, or containment verification are performed on symlink destinations.

Technical Details

Root Cause

The create_symlink() function trusts the symlink target path from the archive entry directly. Unlike regular files which undergo extraction path validation through tar-rs, symlinks are created with whatever target the archive specifies — including paths outside the extraction directory.

Affected Archive Formats

All tar-based formats handled by ouch are affected:

.tar, .tar.gz, .tar.bz2, .tar.xz
.tar.lz4, .tar.lzma, .tar.sz, .tar.zst

Attack Scenario

An attacker crafts a malicious tar archive containing symlinks pointing to sensitive files such as SSH keys (~/.ssh/id_rsa), AWS credentials (~/.aws/credentials), or system files (/etc/shadow). When a victim decompresses the archive using ouch, the symlinks are created, allowing the attacker to read arbitrary files through subsequent archive operations or file access.

Vulnerability Characteristics

Attack Vector: Network — malicious archive distribution
Attack Complexity: Low
Privileges Required: None
User Interaction: Required — victim must decompress the archive
Scope: Changed — symlinks can reach files outside the extraction context

Impact Assessment

Confidentiality: High — arbitrary file read via symlink resolution
Integrity: None
Availability: None

The changed scope and high confidentiality impact result in a CVSS 7.4 (High) rating. Credential theft and sensitive data exposure are the primary risks.

Disclosure Timeline

2026-03-15: Vulnerability reported via GitHub Private Vulnerability Reporting
2026-03-16: CVE-2026-32809 assigned (GHSA-pcw6-cg54-qvm8)

Remediation

No patched version is available yet. Avoid decompressing untrusted tar archives with ouch until a fix is released. Consider using alternative extraction tools that validate symlink targets.

Discovered by: Kai Aizen (SnailSploit)

CVE-2026-32885 Path Traversal (ZipSlip) in ddev CVE-2026-33693 SSRF in activitypub-federation-rust CVE-2026-3288 Config Injection in ingress-nginx CVE-2025-11174 Missing Auth in Document Library Lite

@misc{aizen2026cve, author = {Aizen, Kai}, title = {CVE-2026-32809 | Symlink Resolution Bypass in ouch}, year = {2026}, url = {https://snailsploit.com/security-research/cves/cve-2026-32809/}, note = {snailsploit.com} }

CVE-2026-32809 — questions & answers

What is CVE-2026-32809?

CVE-2026-32809 is a disclosed vulnerability (Symlink Resolution Bypass) in ouch, coordinated through the standard CVE process by independent security researcher Kai Aizen.

Am I affected by CVE-2026-32809?

You are affected if your environment runs an unpatched version of ouch. Check the upstream advisory or NVD record for the precise affected version range, then verify against your deployed version.

How do I fix CVE-2026-32809?

Upgrade ouch to the version that includes the upstream fix referenced in the NVD record. If an immediate upgrade is not possible, apply the mitigation guidance from the vendor advisory and restrict exposure of the affected surface area.

What is the impact of CVE-2026-32809?

CVSS — · Pending. The vulnerability class is Symlink Resolution Bypass; consult the NVD and vendor advisory for vector details, exploitation prerequisites, and observed impact.

Where can I find authoritative references?

NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-32809, the MITRE CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32809, and the vendor's security advisory page.