CVE-2026-32766

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52
https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 00:16

Updated : 2026-03-20 13:37

NVD link : CVE-2026-32766

Mitre link : CVE-2026-32766

CVE.ORG link : CVE-2026-32766

JSON object : View

Products Affected

No product.

CWE

CWE-436

Interpretation Conflict

{"id": "CVE-2026-32766", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T00:16:18.100", "references": [{"url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52", "source": "security-advisories@github.com"}, {"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-436"}]}], "descriptions": [{"lang": "en", "value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0."}, {"lang": "es", "value": "astral-tokio-tar es una biblioteca de lectura/escritura de archivos tar para Rust as\u00edncrono. En las versiones 0.5.6 y anteriores, las extensiones PAX malformadas se omit\u00edan silenciosamente al analizar archivos tar. Esta omisi\u00f3n silenciosa (en lugar de rechazo) de extensiones PAX no v\u00e1lidas podr\u00eda usarse como un bloque de construcci\u00f3n para un diferencial de analizador, por ejemplo, omitiendo silenciosamente una extensi\u00f3n GNU 'long link' malformada para que un analizador posterior malinterpretara la extensi\u00f3n. En la pr\u00e1ctica, explotar este comportamiento en astral-tokio-tar requiere un analizador tar secundario con comportamiento incorrecto, es decir, uno que valide insuficientemente las extensiones PAX malformadas y las interprete en lugar de omitirlas o generar un error por ellas. Esta vulnerabilidad se considera de baja gravedad ya que requiere una vulnerabilidad separada contra cualquier analizador tar no relacionado. Este problema ha sido corregido en la versi\u00f3n 0.6.0."}], "lastModified": "2026-03-20T13:37:50.737", "sourceIdentifier": "security-advisories@github.com"}