Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33056 is a vulnerability in the Rust crate "tar-rs" versions 0.4.44 and below, specifically in the function that unpacks tar archives. When unpacking, the function uses fs::metadata() to check if a path is a directory. However, fs::metadata() follows symbolic links (symlinks), which can be exploited by a crafted tarball containing a symlink entry followed by a directory entry with the same name.'}, {'type': 'paragraph', 'content': 'This causes the crate to mistakenly treat the symlink target as an existing directory and apply chmod (permission changes) to it. As a result, an attacker can modify permissions of arbitrary directories outside the intended extraction root, potentially altering system or user directory permissions without authorization.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 0.4.45 by replacing fs::metadata() with fs::symlink_metadata(), which does not follow symlinks but detects and rejects them, preventing this unauthorized permission modification.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to modify the permissions of arbitrary directories outside the intended extraction directory when unpacking a malicious tar archive. By exploiting the symlink and directory entry collision, the attacker can cause the unpacking process to apply chmod operations on directories outside the extraction root.

Such unauthorized permission changes can lead to security risks including unauthorized access, privilege escalation, or disruption of system or application functionality by altering directory permissions unexpectedly.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves malicious tarballs containing a symlink entry followed by a directory entry with the same name, which causes unintended permission changes outside the extraction root.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of such malicious tarballs on your system, you can inspect tar archives for suspicious symlink and directory entries with the same path names.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use tar to list archive contents and look for symlinks and directories with the same name: tar -tvf archive.tar'}, {'type': 'list_item', 'content': 'Extract the archive in a controlled environment and monitor permission changes outside the extraction directory using audit tools like auditd or inotify.'}, {'type': 'list_item', 'content': "Manually check for symlinks in the archive by filtering tar output: tar -tvf archive.tar | grep '^l' (lists symlinks)"}, {'type': 'list_item', 'content': 'Check for directory entries with the same name as symlinks by comparing the output of symlink entries and directory entries.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the tar-rs crate to version 0.4.45 or later, where the vulnerability is fixed by replacing fs::metadata() with fs::symlink_metadata() to prevent following symlinks.

Additional immediate steps include:

• Avoid unpacking untrusted tar archives without sandboxing or containment.
• Use stronger sandboxing techniques such as OS-level containerization or virtualization when processing untrusted archives.
• Consider using crates like cap-std for safer filesystem operations.
• Be aware that the crate does not protect against TOCTOU race conditions, so avoid concurrent modifications of the destination directory by untrusted processes.

Useful 0 Not Useful 0