CVE-2026-33055: CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rs

# security# cve# cybersecurity
CVE-2026-33055: CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rsCVE Reports

CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rs Vulnerability...

CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rs

Vulnerability ID: CVE-2026-33055
CVSS Score: 5.1
Published: 2026-03-20

A parser differential vulnerability in the Rust tar-rs crate <= 0.4.44 allows attackers to smuggle hidden TAR entries past compliant security validators. The vulnerability arises from non-compliant handling of PAX extended header size overrides.

TL;DR

The tar-rs library fails to unconditionally honor PAX extended header size attributes, creating a parser differential against POSIX-compliant implementations. This discrepancy enables attackers to craft 'chameleon' archives that hide malicious entries from security scanners but are executed upon extraction by tar-rs.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Parser Differential / Type Confusion
  • CWE ID: CWE-843
  • CVSS v4.0: 5.1 (Medium)
  • EPSS Score: 0.00040 (0.04%)
  • Affected Component: tar-rs src/archive.rs (EntriesFields::next)
  • Exploit Status: Proof of Concept available
  • Attack Vector: Crafted TAR archive upload

Affected Systems

  • Applications utilizing the tar-rs crate <= 0.4.44
  • Rust-based backend services processing user-uploaded archives
  • tar-rs: <= 0.4.44 (Fixed in: 0.4.45)

Code Analysis

Commit: de1a587

Fix PAX size override logic to comply with POSIX standards and prevent entry smuggling

Mitigation Strategies

  • Upgrade the tar-rs library to version 0.4.45.
  • Configure upstream validation services to reject TAR archives with conflicting metadata fields.
  • Implement strong sandboxing and strict least-privilege principles for the extraction process.

Remediation Steps:

  1. Identify all projects depending on the tar-rs crate using cargo tree or cargo audit.
  2. Update Cargo.toml to specify tar-rs = "^0.4.45".
  3. Run cargo update -p tar to update the lockfile.
  4. Recompile and deploy the updated application binaries.

References

Read the full report for CVE-2026-33055 on our website for more details including interactive diagrams and full exploit analysis.