SB2026042866 - Multiple vulnerabilities in tar-rs
Published: April 28, 2026 Updated: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-33055)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to smuggle unexpected archive entries past validation checks.
The vulnerability exists due to improper input validation in the tar archive parser when processing tar archives with conflicting PAX size headers and base header sizes. A remote attacker can supply a specially crafted archive to smuggle unexpected archive entries past validation checks.
The issue can cause tar-rs to produce a different view of archive contents than other tar parsers, including cases where a symlink entry is seen by tar-rs but skipped by another parser.
2) UNIX symbolic link following (CVE-ID: CVE-2026-33056)
CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify permissions of arbitrary directories outside the extraction root.
The vulnerability exists due to symlink following in unpack_dir when unpacking a crafted tar archive. A remote attacker can supply a tarball containing a symlink entry followed by a directory entry with the same name to modify permissions of arbitrary directories outside the extraction root.
3) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to write files outside the intended extraction tree.
The vulnerability exists due to improper access control in unpack() when extracting an archive while the filesystem tree is being concurrently mutated by another process. A local user can modify the filesystem tree during extraction to write files outside the intended extraction tree.
This issue is relevant in environments where an untrusted or malicious process can concurrently alter the destination filesystem tree.
Remediation
Install update from vendor's website.
References
- https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff
- https://github.com/advisories/GHSA-gchp-q4r4-x4ff
- https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
- https://github.com/advisories/GHSA-j4xf-2g29-59ph
- https://github.com/composefs/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
- https://github.com/composefs/tar-rs/security/advisories/GHSA-747h-hw98-c42x