CVE-2026-33055

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946	Patch
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff	Exploit Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-62518	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*

History

No history.

Information

Published : 2026-03-20 07:16

Updated : 2026-03-23 15:27

NVD link : CVE-2026-33055

Mitre link : CVE-2026-33055

CVE.ORG link : CVE-2026-33055

JSON object : View

Products Affected

alexcrichton

tar-rs

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2026-33055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T07:16:13.543", "references": [{"url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}, {"lang": "es", "value": "tar-rs es una biblioteca de lectura/escritura de archivos tar para Rust. Las versiones 0.4.44 e inferiores tienen l\u00f3gica condicional que omite el encabezado de tama\u00f1o PAX en los casos en que el tama\u00f1o del encabezado base no es cero. Como parte de CVE-2025-62518, el proyecto astral-tokio-tar fue modificado para respetar correctamente los encabezados de tama\u00f1o PAX en el caso en que fuera diferente del encabezado base. Esto es casi lo inverso del problema de astral-tokio-tar. Cualquier discrepancia en c\u00f3mo los analizadores tar respetan el tama\u00f1o del archivo puede ser utilizada para crear archivos que aparecen de manera diferente cuando son desempaquetados por diferentes archivadores. En este caso, el 'crate' tar-rs (tar de Rust) es una excepci\u00f3n al verificar el tama\u00f1o del encabezado; otros analizadores tar (incluyendo, por ejemplo, Go archive/tar) usan incondicionalmente la anulaci\u00f3n de tama\u00f1o PAX. Esto puede afectar cualquier cosa que use el 'crate' tar para analizar archivos y espere tener una vista consistente con otros analizadores. Este problema ha sido corregido en la versi\u00f3n 0.4.45."}], "lastModified": "2026-03-23T15:27:16.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "6BFF2938-0282-4340-B01B-3B365160D641", "versionEndExcluding": "0.4.45"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}