What is CVE-2022-26612?

A critical vulnerability in Apache Hadoop allows attackers to exploit symbolic links during TAR extraction, potentially leading to unauthorized file access. Immediate patching is essential to safeguard systems.

What is the severity of CVE-2022-26612?

CVE-2022-26612 has a severity rating of CRITICAL with a CVSS base score of 9.8.

CVE-2022-26612 | Critical Vulnerability in Apache Hadoop

In Apache Hadoop, a critical vulnerability identified as CVE-2022-26612 allows attackers to exploit symbolic links created during the TAR extraction process. This vulnerability is particularly severe on Windows systems where the unTar function fails to properly handle symbolic links, leading to unauthorized file access and potential system compromise.

The vulnerability has a CVSS score of 9.8, classifying it as critical. Organizations using affected versions of Apache Hadoop should prioritize patching immediately to prevent possible exploitation. The risk to organizations includes unauthorized access to sensitive files and potential system disruption.

As of now, there is no known public exploit for this vulnerability. However, the nature of the vulnerability indicates that it could be leveraged by attackers to gain access to files outside of the intended extraction directory, particularly on Windows platforms.

Organizations should address this issue as part of their priority patch cycle, given the potential for exploitation and the critical nature of the vulnerability.

Vulnerability Details

CVE-2022-26612 affects Apache Hadoop and was published on April 7, 2022. The vulnerability allows an attacker to create a symbolic link in the extraction directory, leading to potential unauthorized file access due to the way TAR entries are processed differently on Windows compared to Unix systems.

The vulnerability is categorized under CWE-59 (Improper Link Resolution Before File Access), indicating a flaw in how symbolic links are handled. It is essential for organizations to review their systems and ensure they are using version 3.2.3 or later of Apache Hadoop to mitigate this risk.

Technical Analysis

The root cause of CVE-2022-26612 lies in the unTar function's reliance on the unTarUsingJava method on Windows, which does not resolve symbolic links correctly. This oversight allows the extraction process to follow symbolic links, resulting in files being extracted outside the expected directory.

The attack vector is NETWORK, with low complexity and no privileges required, meaning an attacker can exploit the vulnerability without needing any special access. The impact on confidentiality, integrity, and availability is high, indicating that the exploitation can lead to severe consequences for affected systems.

Risk & Impact Analysis

The deployment of vulnerable versions of Apache Hadoop poses a significant risk to organizations. Attackers could exploit this vulnerability to gain access to files that are not meant to be accessible, leading to data breaches and loss of integrity in the system. The blast radius of such an attack could extend to sensitive data being leaked or manipulated.

Given the CVSS score of 9.8, organizations must treat this vulnerability with the utmost urgency and prioritize patching as soon as possible to mitigate risks.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of Apache Hadoop are affected by CVE-2022-26612: all versions prior to 3.2.3, including versions 3.3.1 and 3.3.2.

Mitigation & Remediation

Organizations should update to Apache Hadoop version 3.2.3 or later to remediate this vulnerability. If immediate patching is not possible, consider implementing workarounds such as restricting the extraction of TAR files from untrusted sources.

Additionally, organizations may benefit from conducting a security assessment to evaluate their exposure to vulnerabilities like CVE-2022-26612 and improve their overall security posture.

Detection Guidance

Monitoring logs for unusual TAR extraction patterns and unexpected file creations can help detect potential exploitation attempts.

Organizations should also look for any unauthorized file access or modifications that occur during the TAR extraction process.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2022-26612 emphasizes the need for robust handling of symbolic links in software applications. Security teams should ensure that their systems are not only patched but also regularly assessed for similar vulnerabilities.

This vulnerability serves as a reminder for security practitioners to prioritize security testing and continuous monitoring to identify and remediate vulnerabilities proactively.

For comprehensive security, organizations should consider implementing a thorough application security assessment to identify and address vulnerabilities on an ongoing basis.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-26612: Critical Vulnerability in Apache Hadoop