CVE-2026-33055
published 2026-03-20CVE-2026-33055: tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the…
medium5.1CVSS 4.0
AVNACLATNPRNUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexcrichton | tar-rs | < 0.4.45 | 0.4.45 |
| debian | rust-tar | < rust-tar 0.4.45-1 (forky) | rust-tar 0.4.45-1 (forky) |
| debian | rustc | < rust-tar 0.4.45-1 (forky) | rust-tar 0.4.45-1 (forky) |
| gnu | tar | >= 0 < 0.4.45 | 0.4.45 |
| gnu | tar | >= 0.0.0-0 < 0.4.45 | 0.4.45 |
| msrc | azl3_kata-containers-cc_3.15.0.aks0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_rpm-ostree_2024.4-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-25_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.90.0-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_trident_0.21.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kata-containers-cc_3.2.0.azl2-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kata-containers_3.2.0.azl2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rpm-ostree_2022.1-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.72.0-14_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.1HIGH
osv8.1HIGH