CVE-2026-33056: CVE-2026-33056: Arbitrary Directory Permission Modification via Symlink Following in tar-rs

#security #cve #cybersecurity

CVE-2026-33056: Arbitrary Directory Permission Modification via Symlink Following in tar-rs

Vulnerability ID: CVE-2026-33056
CVSS Score: 5.1
Published: 2026-03-20

The tar-rs library version 0.4.44 and earlier contains a CWE-61 UNIX Symbolic Link (Symlink) Following vulnerability in the directory extraction logic. By utilizing a crafted tar archive containing a symlink and a directory of the same name, an attacker can manipulate directory permissions on the host system.

TL;DR

A symlink following flaw in tar-rs <= 0.4.44 allows attackers to modify permissions of arbitrary directories on the host system via crafted tarballs.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-61
Attack Vector: Network
CVSS v4.0 Score: 5.1
EPSS Score: 0.00064
Exploit Status: poc
Impact: Low Integrity

Affected Systems

tar-rs versions 0.4.44 and earlier
tar-rs: <= 0.4.44 (Fixed in: 0.4.45)

Code Analysis

Commit: 17b1fd8

Fix symlink following vulnerability during directory extraction.

Replaces fs::metadata with fs::symlink_metadata in src/entry.rs

Mitigation Strategies

Update tar-rs to version 0.4.45 or later.
Run archive extraction routines inside a sandbox or containerized environment.
Enforce capability-based filesystem boundaries using cap-std or similar mechanisms.
Drop privileges before extracting untrusted archive files.

Remediation Steps:

Identify all projects depending on the tar crate using cargo tree.
Update the Cargo.toml dependency to point to tar = ">=0.4.45".
Execute cargo update -p tar to lock the updated version.
Recompile and deploy the updated application binaries.

References

Read the full report for CVE-2026-33056 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community