Main Vulnerability Database SB2026012003

SB2026012003 - Race condition in node-tar

Published: January 20, 2026

Security Bulletin ID SB2026012003

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: CVE-2026-23950)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS. A remote attacker can trick the victim into using a specially crafted archive to bypass the library's internal concurrency safeguards and perform Symlink Poisoning attacks.

Remediation

Install update from vendor's website.

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w