The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This     is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-     insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),     the library fails to lock colliding paths (e.g., `` and `ss`), allowing them to be processed in parallel.
    This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race     conditions. The library uses a `PathReservations` system to ensure that metadata checks and file     operations for the same path are serialized. This prevents race conditions where one entry might clobber     another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability     affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode     normalization (in which `` and `ss` are different), conflicting paths do not have their order properly     preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `` causes an inode     collision with `ss`)). This enables an attacker to circumvent internal parallelization locks     (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version     7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's     behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
    As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to     extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend     against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

Note that Nessus relies on the presence of the package as reported by the vendor.

Detections

Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-23950

high Nessus Plugin ID 293776

Version 1.2