CVE-2026-33055 Overview
CVE-2026-33055 is a Type Confusion vulnerability in tar-rs, a popular tar archive reading/writing library for Rust. The vulnerability exists in versions 0.4.44 and below, where conditional logic incorrectly skips the PAX size header when the base header size is nonzero. This parsing inconsistency can lead to different interpretations of archive contents across various tar parsers, potentially enabling attackers to craft malicious archives that appear differently when unpacked by different tools.
Critical Impact
Attackers can create specially crafted tar archives that are interpreted differently by tar-rs compared to other parsers (like Go's archive/tar), potentially leading to file content manipulation or security control bypass when archives are processed by multiple systems.
Affected Products
- alexcrichton tar-rs versions 0.4.44 and below
- Applications using the Rust tar crate for archive parsing
- Systems relying on consistent archive interpretation across multiple parsers
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33055 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33055
Vulnerability Analysis
The tar-rs library implements conditional logic that skips PAX (Portable Archive eXchange) size headers when the base header already contains a nonzero size value. This behavior deviates from how other major tar implementations handle the same scenario. Standard-compliant parsers, including Go's archive/tar, unconditionally use the PAX size override when present, regardless of the base header value.
This parsing discrepancy creates a Type Confusion scenario (CWE-843) where the same archive data is interpreted differently depending on which parser processes it. The vulnerability is related to CVE-2025-62518, which addressed the inverse issue in the astral-tokio-tar project.
Root Cause
The root cause lies in the non-standard conditional logic within the tar-rs header parsing routine. When processing tar archives, the library checks if the base header size is nonzero before deciding whether to apply the PAX size override. According to proper PAX header semantics, the PAX size should always take precedence when present, but tar-rs incorrectly prioritizes the base header value in certain conditions.
Attack Vector
An attacker can exploit this vulnerability via network-delivered malicious tar archives. The attack requires user interaction to download and process the crafted archive. The exploitation scenario involves:
- Creating a specially crafted tar archive with conflicting base header and PAX size values
- Distributing the archive to targets using tar-rs for extraction
- The archive contents will be interpreted differently by tar-rs versus other standard tar parsers
This inconsistency can be weaponized in supply chain attacks where archives pass through multiple processing stages using different tar implementations, or in security scanning scenarios where a scanner using one parser might see different file contents than the actual extraction tool.
The vulnerability manifests when tar-rs encounters an archive entry with both a nonzero base header size and a PAX size extension. Instead of unconditionally honoring the PAX size override as specified in the PAX standard, tar-rs conditionally skips it. For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33055
Indicators of Compromise
- Tar archives containing PAX extended headers with size values that differ from their corresponding base header sizes
- Unexpected file size discrepancies when the same archive is extracted by different tools
- Log entries indicating archive extraction anomalies or file truncation issues
Detection Strategies
- Implement dependency scanning to identify applications using tar-rs versions 0.4.44 and below
- Monitor for tar archives with conflicting base header and PAX size values using archive analysis tools
- Cross-reference archive contents when processed by multiple systems to detect parsing inconsistencies
- Use software composition analysis (SCA) tools to flag vulnerable tar-rs dependencies in Rust projects
Monitoring Recommendations
- Enable verbose logging for archive extraction operations in applications using tar-rs
- Implement file integrity monitoring for directories where tar archives are regularly extracted
- Monitor Cargo.lock files in CI/CD pipelines for vulnerable tar crate versions
- Set up alerts for dependency updates to ensure timely patching of the tar-rs library
How to Mitigate CVE-2026-33055
Immediate Actions Required
- Upgrade tar-rs to version 0.4.45 or later immediately
- Audit applications using the tar crate to identify all affected deployments
- Review any archives processed by affected systems for potential manipulation
- Implement input validation for tar archives from untrusted sources
Patch Information
The vulnerability has been fixed in tar-rs version 0.4.45. The patch corrects the PAX size header handling to unconditionally honor PAX size overrides, aligning with the behavior of other standard tar implementations. The fix is available via the GitHub commit.
To update the dependency in your Rust project, modify your Cargo.toml to require the patched version.
Workarounds
- Validate tar archives using a standard-compliant parser before processing with tar-rs
- Implement additional integrity checks comparing archive contents across multiple parser implementations
- Restrict archive processing to trusted sources only until the patch can be applied
- Consider temporarily switching to an alternative tar parsing library that correctly handles PAX headers
# Update tar-rs dependency to patched version
cargo update -p tar --precise 0.4.45
# Verify the installed version
cargo tree -p tar
# Audit for vulnerable dependencies
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
