{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33055", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.213Z", "datePublished": "2026-03-20T07:06:08.390Z", "dateUpdated": "2026-03-20T15:44:15.706Z"}, "containers": {"cna": {"title": "tar-rs incorrectly ignores PAX size headers if header size is nonzero", "problemTypes": [{"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff"}, {"name": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "tags": ["x_refsource_MISC"], "url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946"}, {"name": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "tags": ["x_refsource_MISC"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-62518"}], "affected": [{"vendor": "alexcrichton", "product": "tar-rs", "versions": [{"version": "< 0.4.45", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T07:06:08.390Z"}, "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}], "source": {"advisory": "GHSA-gchp-q4r4-x4ff", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:43:55.137601Z", "id": "CVE-2026-33055", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:44:15.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33055", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:43:55.137601Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:44:11.127Z"}}], "cna": {"title": "tar-rs incorrectly ignores PAX size headers if header size is nonzero", "source": {"advisory": "GHSA-gchp-q4r4-x4ff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "alexcrichton", "product": "tar-rs", "versions": [{"status": "affected", "version": "< 0.4.45"}]}], "references": [{"url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "name": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "name": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "tags": ["x_refsource_MISC"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "name": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T07:06:08.390Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33055", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:44:15.706Z", "dateReserved": "2026-03-17T18:10:50.213Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T07:06:08.390Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*", "matchCriteriaId": "6BFF2938-0282-4340-B01B-3B365160D641", "versionEndExcluding": "0.4.45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}, {"lang": "es", "value": "tar-rs es una biblioteca de lectura/escritura de archivos tar para Rust. Las versiones 0.4.44 e inferiores tienen l\u00f3gica condicional que omite el encabezado de tama\u00f1o PAX en los casos en que el tama\u00f1o del encabezado base no es cero. Como parte de CVE-2025-62518, el proyecto astral-tokio-tar fue modificado para respetar correctamente los encabezados de tama\u00f1o PAX en el caso en que fuera diferente del encabezado base. Esto es casi lo inverso del problema de astral-tokio-tar. Cualquier discrepancia en c\u00f3mo los analizadores tar respetan el tama\u00f1o del archivo puede ser utilizada para crear archivos que aparecen de manera diferente cuando son desempaquetados por diferentes archivadores. En este caso, el 'crate' tar-rs (tar de Rust) es una excepci\u00f3n al verificar el tama\u00f1o del encabezado; otros analizadores tar (incluyendo, por ejemplo, Go archive/tar) usan incondicionalmente la anulaci\u00f3n de tama\u00f1o PAX. Esto puede afectar cualquier cosa que use el 'crate' tar para analizar archivos y espere tener una vista consistente con otros analizadores. Este problema ha sido corregido en la versi\u00f3n 0.4.45."}], "id": "CVE-2026-33055", "lastModified": "2026-03-23T15:27:16.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T07:16:13.543", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-62518"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.45)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "tar-rs", "source": "cna", "vendor": "alexcrichton"}, "product": "tar-rs", "vendor": "alexcrichton"}], "analysis": {"en": {"generated_at": "2026-03-23T16:28:31.595143+00:00", "value": {"mitigation_remediation": ["Upgrade tar-rs to version 0.4.45 or later."], "summary": {"action": "Upgrade", "impact": "Inconsistent file size interpretation leading to potential accidental logic errors or malicious archive handling"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Rust tar archive library maintained by alexcrichton, specifically versions 0.4.44 and earlier. The issue is resolved in version 0.4.45 and later.", "description_and_impact": "The library incorrectly skips the PAX size header when the base header size is nonzero, causing tar archives to be interpreted at different sizes by this parser than by other implementations. This discrepancy can lead to confusion or unexpected behavior in applications that rely on consistent archive contents, and may be exploited to craft archives that behave differently across utilities, potentially leading to logic errors or resource misuse.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate impact; EPSS is below 1%, suggesting low exploitation probability and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves delivering a malicious tar archive to an application that uses this library; the attacker does not gain code execution but can cause misinterpretation of file sizes, potentially leading to incorrect processing or errors. Because the flaw only affects archive parsing, it does not directly enable arbitrary code execution or denial of service without additional application vulnerabilities."}}}}, "created": "2026-03-20T10:36:55.650055+00:00", "updated": "2026-03-25T14:30:12.932156+00:00", "vendors": ["alexcrichton", "alexcrichton$PRODUCT$tar-rs"]}