CVE-2026-33056

NameCVE-2026-33056
Descriptiontar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1131481

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-tar (PTS)bullseye0.4.26-1vulnerable
bookworm0.4.38-1vulnerable
trixie0.4.43-4vulnerable
forky, sid0.4.45-2fixed
rustc (PTS)bullseye1.48.0+dfsg1-2vulnerable
bookworm1.63.0+dfsg1-2vulnerable
trixie1.85.0+dfsg3-1vulnerable
forky1.92.0+dfsg1-2fixed
sid1.93.1+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-tarsource(unstable)0.4.45-11131481
rustcsource(unstable)1.92.0+dfsg1-2

Notes

https://rustsec.org/advisories/RUSTSEC-2026-0067.html
https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
Fixed by: https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446 (0.4.45)
Search for package or bug name: Reporting problems