CVE-2026-33055

EUVD-2026-13596

20.03.2026, 07:16

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.

Type Confusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
alexcrichton	tar-rs	𝑥 < 0.4.45

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-tar

bookworm	vulnerable
bullseye	postponed
forky	0.4.45-2 fixed
sid	0.4.45-2 fixed
trixie	vulnerable

rustc

bookworm	vulnerable
bullseye	postponed
forky	1.95.0+dfsg1-2 fixed
sid	1.95.0+dfsg1-2 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

rust-tar

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
resolute	needs-triage

Amazon Linux Releases

Amazon Package

Release

below

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

below-debuginfo

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

cargo

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

cargo-c

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

cargo-c-debuginfo

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

cargo-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

clamav1.5

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-data

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-debugsource

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-devel

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-doc

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-filesystem

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-freshclam

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-freshclam-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-lib

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-lib-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-milter

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-milter-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamd1.5

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamd1.5-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clippy

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

clippy-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-analyzer

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-analyzer-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-below-debugsource

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

rust-cargo-c-debugsource

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

rust-debugger-common

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-debugsource

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-doc

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-gdb

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-lldb

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-src

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-std-static

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-std-static-wasm32-unknown-unknown

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-std-static-wasm32-wasip1

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-toolset

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-toolset-srpm-macros

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rustfmt

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rustfmt-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

Azure Linux Releases

Azure Package

Release

clamav

Azure Linux 3.0

0:1.5.2-2.azl3

fixed

rpm-ostree

Azure Linux 3.0

0:2024.4-10.azl3

fixed

rust

Azure Linux 3.0

0:1.75.0-28.azl3

fixed

trident

Azure Linux 3.0

0:0.22.0-1.azl3

fixed

Known Exploits!

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff

Common Weakness Enumeration

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References

https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff

https://www.cve.org/CVERecord?id=CVE-2025-62518