CVE-2026-33056 — UNIX Symbolic Link (Symlink) Following in Tar-rs

CWE-61 — UNIX Symbolic Link (Symlink) Following CWE-59 — Link Following19 documents10 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 98.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Alexcrichton Tar-rs TAR Project TAR GNU TAR

Timeline

PublishedMar 20

Latest updateApr 14

Description

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶crates.iognu/tar0.0.0-0 — 0.4.45+1

▶NVDtar_project/tar< 0.4.45

▶CVEListV5alexcrichton/tar-rs< 0.4.45

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

tar-rs: unpack_in can chmod arbitrary directories by following symlinks↗2026-03-20

▶

OSV

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks↗2026-03-20

▶

GHSA

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks↗2026-03-20

▶

OSV

CVE-2026-33056: tar-rs is a tar archive reading/writing library for Rust↗2026-03-20

▶

OSV

`unpack_in` can chmod arbitrary directories by following symlinks↗2026-03-19

▶

📋Vendor Advisories

Ubuntu

tar-rs vulnerability↗2026-04-14

▶

Ubuntu

Rust vulnerability↗2026-04-14

▶

Ubuntu

Rust vulnerability↗2026-04-13

▶

Ubuntu

tar-rs vulnerability↗2026-04-01

▶

Ubuntu

cargo-c vulnerability↗2026-04-01

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33056 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33056 rust: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]↗2026-03-20

▶

Bugzilla

CVE-2026-33056 goose: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]↗2026-03-20

▶

Bugzilla

CVE-2026-33056 fido-device-onboard: tar-rs: Arbitrary directory permission modification via crafted tar archive [fedora-all]↗2026-03-20

▶