CVE-2026-33056

EUVD-2026-13616

20.03.2026, 08:16

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
tar_project	tar	𝑥 < 0.4.45

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-tar

bookworm	vulnerable
bullseye	postponed
forky	0.4.45-2 fixed
sid	0.4.45-2 fixed
trixie	vulnerable

rustc

bookworm	vulnerable
bullseye	postponed
forky	1.95.0+dfsg1-2 fixed
sid	1.95.0+dfsg1-2 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

cargo

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
resolute	dne
xenial	ignored

rust-astral-tokio-tar

jammy	dne
noble	dne
questing	needs-triage
resolute	needs-triage

rust-async-tar

jammy	dne
noble	needs-triage
questing	needs-triage
resolute	dne

rust-cargo-c

jammy	dne
noble	needs-triage
questing	Fixed 0.10.11-1ubuntu1.1 released
resolute	not-affected

rust-tar

focal	needs-triage
jammy	Fixed 0.4.37-3ubuntu0.1 released
noble	Fixed 0.4.40-1ubuntu0.1 released
questing	Fixed 0.4.43-4ubuntu0.1 released
resolute	not-affected

rustc

bionic	needs-triage
focal	needs-triage
jammy	Fixed 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.75.0+dfsg0ubuntu1-0ubuntu7.4 released
questing	dne
resolute	dne
trusty	needs-triage
xenial	ignored

rustc-1.62

jammy	Fixed 1.62.1+dfsg1-1ubuntu0.22.04.3 released
noble	dne
questing	dne
resolute	dne

rustc-1.74

jammy	dne
noble	Fixed 1.74.1+dfsg0ubuntu1-0ubuntu15 released
questing	dne
resolute	dne

rustc-1.76

focal	needs-triage
jammy	Fixed 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.76.0+dfsg0ubuntu1-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.77

focal	needs-triage
jammy	Fixed 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.77.2+dfsg1ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.78

focal	needs-triage
jammy	Fixed 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.78.0+dfsg1ubuntu1-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.79

focal	needs-triage
jammy	Fixed 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.79.0+dfsg1ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.80

focal	needs-triage
jammy	Fixed 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.80.1+dfsg0ubuntu1-0ubuntu0.24.04.01 released
questing	dne
resolute	dne

rustc-1.81

jammy	Fixed 1.81.0+dfsg0ubuntu0-0ubuntu0.22.04.1 released
noble	Fixed 1.81.0+dfsg0ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.82

jammy	Fixed 1.82.0+dfsg0ubuntu0~jammy-0ubuntu0.22.04.1 released
noble	Fixed 1.82.0+dfsg0ubuntu0-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.83

jammy	Fixed 1.83.0+dfsg0ubuntu2~bpo2-0ubuntu2.22.04.1 released
noble	Fixed 1.83.0+dfsg0ubuntu1~bpo2-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.84

jammy	Fixed 1.84.1+dfsg0ubuntu1~bpo10-0ubuntu4.22.04.1 released
noble	Fixed 1.84.1+dfsg0ubuntu1~bpo2-0ubuntu2.24.04.1 released
questing	dne
resolute	dne

rustc-1.85

jammy	Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu1.22.04.1 released
noble	Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu0.24.04.2 released
questing	Fixed 1.85.1+dfsg0ubuntu2-0ubuntu1.25.04.1 released
resolute	dne

rustc-1.88

jammy	dne
noble	dne
questing	Fixed 1.88.0+dfsg0ubuntu1-0ubuntu2 released
resolute	dne

rustc-1.89

jammy	Fixed 1.89.0+dfsg~24.04-0ubuntu0.22.04.2 released
noble	Fixed 1.89.0+dfsg~24.04-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.91

jammy	Fixed 1.91.1+dfsg~22.04-0ubuntu0.22.04.3 released
noble	Fixed 1.91.1+dfsg~24.04-0ubuntu0.24.04.2 released
questing	not-affected
resolute	not-affected

rustc-1.92

jammy	dne
noble	dne
questing	dne
resolute	not-affected

rustc-1.93

jammy	dne
noble	dne
questing	dne
resolute	not-affected

Amazon Linux Releases

Amazon Package

Release

below

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

below-debuginfo

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

cargo

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

cargo-c

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

cargo-c-debuginfo

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

cargo-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

clamav1.5

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-data

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-debugsource

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-devel

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-doc

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-filesystem

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-freshclam

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-freshclam-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-lib

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-lib-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-milter

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamav1.5-milter-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamd1.5

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clamd1.5-debuginfo

Amazon Linux 2023

0:1.5.1-1.amzn2023.0.5

fixed

clippy

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

clippy-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-analyzer

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-analyzer-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-below-debugsource

Amazon Linux 2023

0:0.11.0-1.amzn2023.0.3

fixed

rust-cargo-c-debugsource

Amazon Linux 2023

0:0.10.19-1.amzn2023.0.2

fixed

rust-debugger-common

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-debugsource

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-doc

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-gdb

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-lldb

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-src

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-std-static

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-std-static-wasm32-unknown-unknown

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-std-static-wasm32-wasip1

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

rust-toolset

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rust-toolset-srpm-macros

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rustfmt

Amazon Linux 2	0:1.94.0-1.amzn2.0.2 fixed
Amazon Linux 2023	0:1.94.0-1.amzn2023.0.2 fixed

rustfmt-debuginfo

Amazon Linux 2023

0:1.94.0-1.amzn2023.0.2

fixed

Azure Linux Releases

Azure Package

Release

clamav

Azure Linux 3.0

0:1.5.2-2.azl3

fixed

rpm-ostree

Azure Linux 3.0

0:2024.4-10.azl3

fixed

rust

Azure Linux 3.0

0:1.75.0-28.azl3

fixed

trident

Azure Linux 3.0

0:0.22.0-1.azl3

fixed

Known Exploits!

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph