CVE-2026-32766
Received Received - Intake
Silent Skipping of Malformed PAX Extensions in astral-tokio-tar

Publication date: 2026-03-20

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU β€œlong link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32766
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
astral astral-tokio-tar to 0.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32766 is a vulnerability in the astral-tokio-tar Rust library, which handles reading and writing tar archives asynchronously. In versions 0.5.6 and earlier, the library silently skipped malformed PAX extensions when parsing tar archives instead of rejecting them. This means that invalid metadata extensions in tar files were ignored without error.

This silent skipping can be exploited as part of a parser differential attack, where astral-tokio-tar ignores malformed extensions but another tar parser might misinterpret them, potentially leading to incorrect or unsafe archive extraction behavior. However, exploiting this vulnerability requires a secondary tar parser that improperly validates PAX extensions.

The issue was fixed in version 0.6.0 by enforcing strict validation and error propagation for malformed PAX extensions, ensuring that invalid extensions cause extraction errors rather than being silently ignored.

Impact Analysis

This vulnerability can impact you if you use astral-tokio-tar to extract tar archives and also rely on another tar parser that does not properly validate malformed PAX extensions. Because astral-tokio-tar silently skips malformed extensions, a secondary parser might misinterpret these extensions, potentially leading to incorrect extraction results or unsafe handling of archive contents.

In practice, the impact is considered low severity because exploitation requires a secondary vulnerable tar parser. If you only use astral-tokio-tar or use tar parsers that correctly validate PAX extensions, the risk is minimal.

Upgrading to astral-tokio-tar version 0.6.0 or later mitigates this issue by rejecting malformed PAX extensions and preventing silent skipping.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the silent skipping of malformed PAX extensions in tar archives by the astral-tokio-tar library versions 0.5.6 and earlier. Detection involves identifying tar archive extraction processes using vulnerable versions of the astral-tokio-tar crate.'}, {'type': 'paragraph', 'content': 'Since the vulnerability manifests during tar archive parsing, one way to detect it is by attempting to extract tar files with malformed PAX extensions using the vulnerable library and observing if errors are raised or if malformed extensions are silently skipped.'}, {'type': 'paragraph', 'content': 'Specific commands to detect the vulnerability are not provided in the available resources. However, users can check the version of the astral-tokio-tar crate used in their Rust projects by inspecting the Cargo.lock or Cargo.toml files, for example:'}, {'type': 'list_item', 'content': "grep 'tokio-tar' Cargo.lock"}, {'type': 'list_item', 'content': 'cargo tree | grep tokio-tar'}, {'type': 'paragraph', 'content': 'To detect malformed PAX extensions in tar archives, specialized scripts or tools that validate PAX headers strictly would be needed, but such tools or commands are not detailed in the provided resources.'}] [1, 2]

Mitigation Strategies

The primary mitigation step is to upgrade the astral-tokio-tar Rust crate to version 0.6.0 or later, where the vulnerability has been fixed by enforcing strict validation and error propagation for malformed PAX extensions.

Users extracting tar files with poorly constructed PAX extensions may encounter errors after upgrading and should consider reconstructing their tar files using a conforming tar parser.

Since exploitation requires a secondary vulnerable tar parser that improperly processes malformed PAX extensions, ensuring that all tar parsers in use properly validate PAX extensions can further reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart