CVE-2026-33056
Symlink Following in tar-rs Allows Arbitrary Directory Permission Modification
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tar_project | tar | to 0.4.45 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33056 is a vulnerability in the Rust crate "tar-rs" versions 0.4.44 and below, specifically in the function that unpacks tar archives. When unpacking, the function uses fs::metadata() to check if a path is a directory. However, fs::metadata() follows symbolic links (symlinks), which can be exploited by a crafted tarball containing a symlink entry followed by a directory entry with the same name.'}, {'type': 'paragraph', 'content': 'This causes the crate to mistakenly treat the symlink target as an existing directory and apply chmod (permission changes) to it. As a result, an attacker can modify permissions of arbitrary directories outside the intended extraction root, potentially altering system or user directory permissions without authorization.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 0.4.45 by replacing fs::metadata() with fs::symlink_metadata(), which does not follow symlinks but detects and rejects them, preventing this unauthorized permission modification.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to modify the permissions of arbitrary directories outside the intended extraction directory when unpacking a malicious tar archive. By exploiting the symlink and directory entry collision, the attacker can cause the unpacking process to apply chmod operations on directories outside the extraction root.
Such unauthorized permission changes can lead to security risks including unauthorized access, privilege escalation, or disruption of system or application functionality by altering directory permissions unexpectedly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves malicious tarballs containing a symlink entry followed by a directory entry with the same name, which causes unintended permission changes outside the extraction root.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of such malicious tarballs on your system, you can inspect tar archives for suspicious symlink and directory entries with the same path names.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use tar to list archive contents and look for symlinks and directories with the same name: tar -tvf archive.tar'}, {'type': 'list_item', 'content': 'Extract the archive in a controlled environment and monitor permission changes outside the extraction directory using audit tools like auditd or inotify.'}, {'type': 'list_item', 'content': "Manually check for symlinks in the archive by filtering tar output: tar -tvf archive.tar | grep '^l' (lists symlinks)"}, {'type': 'list_item', 'content': 'Check for directory entries with the same name as symlinks by comparing the output of symlink entries and directory entries.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the tar-rs crate to version 0.4.45 or later, where the vulnerability is fixed by replacing fs::metadata() with fs::symlink_metadata() to prevent following symlinks.
Additional immediate steps include:
- Avoid unpacking untrusted tar archives without sandboxing or containment.
- Use stronger sandboxing techniques such as OS-level containerization or virtualization when processing untrusted archives.
- Consider using crates like cap-std for safer filesystem operations.
- Be aware that the crate does not protect against TOCTOU race conditions, so avoid concurrent modifications of the destination directory by untrusted processes.