SB2026051893 - Input validation error in tar-rs

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause inconsistent extraction behavior and obscure the presence of malicious files.

The vulnerability exists due to improper input validation in the tar stream parser when processing tar streams containing multiple header entries before a file entry. A remote attacker can supply a specially crafted tar archive to cause inconsistent extraction behavior and obscure the presence of malicious files.

A crafted archive can cause PAX header size extensions to be applied to an intermediary header rather than the subsequent file entry, which can desynchronize parsing so the archive is interpreted differently than by other tar parsers.

Remediation

Install update from vendor's website.

References

• https://github.com/composefs/tar-rs/security/advisories/GHSA-3pv8-6f4r-ffg2
• https://github.com/advisories/GHSA-3pv8-6f4r-ffg2