Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
Published: 2026-03-20
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Limited Attack Potential due to parser differential
Action: Apply Patch
AI Analysis

Impact

Astral‑tokio‑tar’s tar archive parser silently ignores malformed PAX extensions in versions 0.5.6 and earlier. This silent skipping, rather than rejecting them, could become part of a parser differential attack. If an adversary supplies an archive that contains malformed GNU “long link” PAX entries, the tokio‑tar library will drop those entries and leave them hidden. A second, unrelated tar parser that does not share this silent‑skip behaviour may still interpret the malformed entries, causing that parser to misread or misinterpret the archive, potentially leading to unexpected behaviour or security holes. The vulnerability is classified as low‑severity because it requires a separate flaw in another, unrelated tar parser for exploitable impact.

Affected Systems

The affected product is astral‑sh:tokio‑tar, a Rust tar archive library. Any installation using version 0.5.6 or earlier is vulnerable. The issue was corrected in version 0.6.0. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score is 1.7, indicating a very low base severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, further suggesting low exploitation likelihood. Exploitation requires a second, malicious tar parser that inadequately validates PAX extensions, which is uncommon. Therefore the overall risk is considered low but still recommend prompt mitigation.

Generated by OpenCVE AI on March 20, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade astral‑tokio‑tar to version 0.6.0 or later
  • Check the upstream project for any additional patches or advisories

Generated by OpenCVE AI on March 20, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6gx3-4362-rf54 astral-tokio-tar insufficiently validates PAX extensions during extraction
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

threat_severity

Low

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Astral
Astral tokio-tar
Vendors & Products Astral
Astral tokio-tar

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
Title astral-tokio-tar insufficiently validates PAX extensions during extraction
Weaknesses CWE-436
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Astral Tokio-tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:09:06.340Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32766

cve-icon Vulnrichment

Updated: 2026-03-20T16:56:50.716Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T00:16:18.100

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-32766

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-20T00:07:36Z

Links: CVE-2026-32766 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:14:40Z

Weaknesses