CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rs
Vulnerability ID: CVE-2026-33055
CVSS Score: 5.1
Published: 2026-03-20
A parser differential vulnerability in the Rust tar-rs crate <= 0.4.44 allows attackers to smuggle hidden TAR entries past compliant security validators. The vulnerability arises from non-compliant handling of PAX extended header size overrides.
TL;DR
The tar-rs library fails to unconditionally honor PAX extended header size attributes, creating a parser differential against POSIX-compliant implementations. This discrepancy enables attackers to craft 'chameleon' archives that hide malicious entries from security scanners but are executed upon extraction by tar-rs.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Parser Differential / Type Confusion
- CWE ID: CWE-843
- CVSS v4.0: 5.1 (Medium)
- EPSS Score: 0.00040 (0.04%)
- Affected Component: tar-rs src/archive.rs (EntriesFields::next)
- Exploit Status: Proof of Concept available
- Attack Vector: Crafted TAR archive upload
Affected Systems
- Applications utilizing the tar-rs crate <= 0.4.44
- Rust-based backend services processing user-uploaded archives
-
tar-rs: <= 0.4.44 (Fixed in:
0.4.45)
Code Analysis
Commit: de1a587
Fix PAX size override logic to comply with POSIX standards and prevent entry smuggling
Mitigation Strategies
- Upgrade the tar-rs library to version 0.4.45.
- Configure upstream validation services to reject TAR archives with conflicting metadata fields.
- Implement strong sandboxing and strict least-privilege principles for the extraction process.
Remediation Steps:
- Identify all projects depending on the tar-rs crate using
cargo treeorcargo audit. - Update Cargo.toml to specify
tar-rs = "^0.4.45". - Run
cargo update -p tarto update the lockfile. - Recompile and deploy the updated application binaries.
References
Read the full report for CVE-2026-33055 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)