dotnet · Microsoft.NETCore.App.Runtime.linux-x64Heads-up

Microsoft.NETCore.App.Runtime.linux-x64 Symlink Traversal in TarFile.ExtractToDirectory

A tampering vulnerability in System.

17 Jun 2026Read 1 minSeverity: schedule it

What changed

A tampering vulnerability in System.Formats.Tar's TarFile.ExtractToDirectory method allows symlink path traversal for arbitrary file writes outside the intended extraction directory.

Who it affects

Any Microsoft .NET project using affected package versions: Microsoft.NETCore.App.Runtime >=10.0.0 <=10.0.8, >=9.0.0 <=9.0.16, >=8.0.0 <=8.0.27.

What to do today

Update to patched versions: 10.0.9, 9.0.17, or 8.0.28. Restart apps. Recompile self-contained deployments.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · Microsoft.NETCore.App.Runtime.linux-x64

Microsoft.NETCore.App.Runtime.linux-x64 Symlink Traversal in TarFile.ExtractToDirectory

What changed

Who it affects

What to do today

More on Microsoft.NETCore.App.Runtime.linux-x64

dotnet/aspire v13.4.5: Patch for StreamJsonRpc/MessagePack CVE, SemVer validation, telemetry update

Microsoft.AspNetCore.App.Runtime.linux-x64 Denial of Service via MessagePack Hub Protocol