CVE-2026-33056

EUVD-2026-13616

20.03.2026, 08:16

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
tar_project	tar	𝑥 < 0.4.45

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-tar

bookworm	vulnerable
bullseye	vulnerable
forky	0.4.45-1 fixed
sid	0.4.45-2 fixed
trixie	vulnerable

rustc

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	1.92.0+dfsg1-2 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

rust-tar

focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage

Known Exploits!

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph