Main Vulnerability Database Vulnerabilities #VU131730

Improper access control in tar-rs - #VU131730

Published: May 18, 2026

Vulnerability identifier: #VU131730

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Alex Crichton

Affected software:
tar-rs

Detailed vulnerability description

The vulnerability allows a local user to write files outside the intended extraction tree.

The vulnerability exists due to improper access control in unpack() when extracting an archive while the filesystem tree is being concurrently mutated by another process. A local user can modify the filesystem tree during extraction to write files outside the intended extraction tree.

This issue is relevant in environments where an untrusted or malicious process can concurrently alter the destination filesystem tree.

Remediation

Install security update from vendor's website.

Sources

https://github.com/composefs/tar-rs/security/advisories/GHSA-747h-hw98-c42x

Improper access control in tar-rs - #VU131730

Detailed vulnerability description

Remediation

Sources

Please verify you're human