CVE-2026-33056

EUVD-2026-13616

20.03.2026, 08:16

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Symlink

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
tar_project	tar	𝑥 < 0.4.45

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-tar

bookworm	vulnerable
bullseye	vulnerable
forky	0.4.45-2 fixed
sid	0.4.45-2 fixed
trixie	vulnerable

rustc

bookworm	vulnerable
bullseye	vulnerable
forky	1.94.1+dfsg1-1 fixed
sid	1.94.1+dfsg1-1 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

rust-tar

focal	needs-triage
jammy	Fixed 0.4.37-3ubuntu0.1 released
noble	Fixed 0.4.40-1ubuntu0.1 released
questing	Fixed 0.4.43-4ubuntu0.1 released
resolute	not-affected

rustc

bionic	needs-triage
focal	needs-triage
jammy	Fixed 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.75.0+dfsg0ubuntu1-0ubuntu7.4 released
questing	dne
resolute	dne
trusty	needs-triage
xenial	needs-triage

rustc-1.62

jammy	Fixed 1.62.1+dfsg1-1ubuntu0.22.04.3 released
noble	dne
questing	dne
resolute	dne

rustc-1.74

jammy	dne
noble	Fixed 1.74.1+dfsg0ubuntu1-0ubuntu15 released
questing	dne
resolute	dne

rustc-1.76

focal	needs-triage
jammy	Fixed 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.76.0+dfsg0ubuntu1-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.77

focal	needs-triage
jammy	Fixed 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.77.2+dfsg1ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.78

focal	needs-triage
jammy	Fixed 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.78.0+dfsg1ubuntu1-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.79

focal	needs-triage
jammy	Fixed 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.79.0+dfsg1ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.80

focal	needs-triage
jammy	Fixed 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.22.04.1 released
noble	Fixed 1.80.1+dfsg0ubuntu1-0ubuntu0.24.04.01 released
questing	dne
resolute	dne

rustc-1.81

jammy	Fixed 1.81.0+dfsg0ubuntu0-0ubuntu0.22.04.1 released
noble	Fixed 1.81.0+dfsg0ubuntu1-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.82

jammy	Fixed 1.82.0+dfsg0ubuntu0~jammy-0ubuntu0.22.04.1 released
noble	Fixed 1.82.0+dfsg0ubuntu0-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.83

jammy	Fixed 1.83.0+dfsg0ubuntu2~bpo2-0ubuntu2.22.04.1 released
noble	Fixed 1.83.0+dfsg0ubuntu1~bpo2-0ubuntu0.24.04.1 released
questing	dne
resolute	dne

rustc-1.84

jammy	Fixed 1.84.1+dfsg0ubuntu1~bpo10-0ubuntu4.22.04.1 released
noble	Fixed 1.84.1+dfsg0ubuntu1~bpo2-0ubuntu2.24.04.1 released
questing	dne
resolute	dne

rustc-1.85

jammy	Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu1.22.04.1 released
noble	Fixed 1.85.1+dfsg0ubuntu2~bpo0-0ubuntu0.24.04.2 released
questing	Fixed 1.85.1+dfsg0ubuntu2-0ubuntu1.25.04.1 released
resolute	dne

rustc-1.88

jammy	dne
noble	dne
questing	Fixed 1.88.0+dfsg0ubuntu1-0ubuntu2 released
resolute	dne

rustc-1.89

jammy	Fixed 1.89.0+dfsg~24.04-0ubuntu0.22.04.2 released
noble	Fixed 1.89.0+dfsg~24.04-0ubuntu0.24.04.2 released
questing	dne
resolute	dne

rustc-1.91

jammy	Fixed 1.91.1+dfsg~22.04-0ubuntu0.22.04.3 released
noble	Fixed 1.91.1+dfsg~24.04-0ubuntu0.24.04.2 released
questing	not-affected
resolute	not-affected

rustc-1.92

jammy	dne
noble	dne
questing	dne
resolute	not-affected

rustc-1.93

jammy	dne
noble	dne
questing	dne
resolute	not-affected

cargo

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
resolute	dne
xenial	needs-triage

rust-cargo-c

jammy	dne
noble	needs-triage
questing	Fixed 0.10.11-1ubuntu1.1 released
resolute	not-affected

rust-async-tar

jammy	dne
noble	needs-triage
questing	needs-triage
resolute	dne

rust-astral-tokio-tar

jammy	dne
noble	dne
questing	needs-triage
resolute	needs-triage

Known Exploits!

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph

Common Weakness Enumeration

CWE-61 - UNIX Symbolic Link (Symlink) Following
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446

https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph