CVE-2026-32766 — Interpretation Conflict in Tokio-tar
Severity
1.7LOWNVD
EPSS
0.0%
top 94.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 20
Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-ta…
CVSS vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
6OSV
▶