Input validation error in tar-rs - CVE-2026-33055
Published: April 28, 2026
Vulnerability identifier: #VU128322
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33055
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Alex Crichton
Affected software:
tar-rs
tar-rs
Detailed vulnerability description
The vulnerability allows a remote attacker to smuggle unexpected archive entries past validation checks.
The vulnerability exists due to improper input validation in the tar archive parser when processing tar archives with conflicting PAX size headers and base header sizes. A remote attacker can supply a specially crafted archive to smuggle unexpected archive entries past validation checks.
The issue can cause tar-rs to produce a different view of archive contents than other tar parsers, including cases where a symlink entry is seen by tar-rs but skipped by another parser.
How to mitigate CVE-2026-33055
Install security update from vendor's website.