Description

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

INFO

Published Date :

2026-03-20T07:11:10.448Z

Last Modified :

2026-03-20T12:59:30.468Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33056 vulnerability.

Vendors Products
Alexcrichton
  • Tar-rs
Tar Project
  • Tar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33056.

URL Resource
https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 cve-icon cve-icon cve-icon
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33056 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33056 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact