SB2026042866 - Multiple vulnerabilities in tar-rs



SB2026042866 - Multiple vulnerabilities in tar-rs

Published: April 28, 2026 Updated: May 18, 2026

Security Bulletin ID SB2026042866
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-33055)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to smuggle unexpected archive entries past validation checks.

The vulnerability exists due to improper input validation in the tar archive parser when processing tar archives with conflicting PAX size headers and base header sizes. A remote attacker can supply a specially crafted archive to smuggle unexpected archive entries past validation checks.

The issue can cause tar-rs to produce a different view of archive contents than other tar parsers, including cases where a symlink entry is seen by tar-rs but skipped by another parser.


2) UNIX symbolic link following (CVE-ID: CVE-2026-33056)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify permissions of arbitrary directories outside the extraction root.

The vulnerability exists due to symlink following in unpack_dir when unpacking a crafted tar archive. A remote attacker can supply a tarball containing a symlink entry followed by a directory entry with the same name to modify permissions of arbitrary directories outside the extraction root.


3) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to write files outside the intended extraction tree.

The vulnerability exists due to improper access control in unpack() when extracting an archive while the filesystem tree is being concurrently mutated by another process. A local user can modify the filesystem tree during extraction to write files outside the intended extraction tree.

This issue is relevant in environments where an untrusted or malicious process can concurrently alter the destination filesystem tree.


Remediation

Install update from vendor's website.