CVE-2026-33056 - Vulnerability Details

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

alexcrichton

tar-rs

affected

Version	Status	Constraints
`< 0.4.45`	affected	—

Configuration 1 [-]

cpe:2.3:a:tar_project:tar:*:*:*:*:*:rust:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Alexcrichton Subscribe	Tar-rs Subscribe

Project Subscriptions

Vendors	Products
Alexcrichton Subscribe	Tar-rs Subscribe
Tar Project Subscribe	Tar Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-j4xf-2g29-59ph	tar-rs `unpack_in` can chmod arbitrary directories by following symlinks

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
https://nvd.nist.gov/vuln/detail/CVE-2026-33056
https://www.cve.org/CVERecord?id=CVE-2026-33056

History

Tue, 24 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tar Project Tar Project tar
CPEs		cpe:2.3:a:tar_project:tar::::::rust::*
Vendors & Products		Tar Project Tar Project tar
Metrics	cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-59
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33056 https://www.cve.org/CVERecord?id=CVE-2026-33056
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}` threat_severity `Moderate`

Fri, 20 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Alexcrichton Alexcrichton tar-rs
Vendors & Products		Alexcrichton Alexcrichton tar-rs

Fri, 20 Mar 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Title		tar-rs: unpack_in can chmod arbitrary directories by following symlinks
Weaknesses		CWE-61
References		https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T07:11:10.448Z

Updated: 2026-03-20T12:59:30.468Z

Reserved: 2026-03-17T18:10:50.213Z

Link: CVE-2026-33056

Vulnrichment

Updated: 2026-03-20T12:59:23.475Z

NVD

Status : Analyzed

Published: 2026-03-20T08:16:11.603

Modified: 2026-03-24T16:17:11.623

Link: CVE-2026-33056

Redhat

Severity : Moderate

Publid Date: 2026-03-20T07:11:10Z

Links: CVE-2026-33056 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T10:36:54Z

Weaknesses

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object