Input validation error in tar-rs - #VU131747
Published: May 18, 2026
Vulnerability identifier: #VU131747
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Alex Crichton
Affected software:
tar-rs
tar-rs
Detailed vulnerability description
The vulnerability allows a remote attacker to cause inconsistent extraction behavior and obscure the presence of malicious files.
The vulnerability exists due to improper input validation in the tar stream parser when processing tar streams containing multiple header entries before a file entry. A remote attacker can supply a specially crafted tar archive to cause inconsistent extraction behavior and obscure the presence of malicious files.
A crafted archive can cause PAX header size extensions to be applied to an intermediary header rather than the subsequent file entry, which can desynchronize parsing so the archive is interpreted differently than by other tar parsers.
Remediation
Install security update from vendor's website.