Description
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Inconsistent file size interpretation leading to potential accidental logic errors or malicious archive handling
Action: Upgrade
AI Analysis

Impact

The library incorrectly skips the PAX size header when the base header size is nonzero, causing tar archives to be interpreted at different sizes by this parser than by other implementations. This discrepancy can lead to confusion or unexpected behavior in applications that rely on consistent archive contents, and may be exploited to craft archives that behave differently across utilities, potentially leading to logic errors or resource misuse.

Affected Systems

The vulnerability affects the Rust tar archive library maintained by alexcrichton, specifically versions 0.4.44 and earlier. The issue is resolved in version 0.4.45 and later.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact; EPSS is below 1%, suggesting low exploitation probability and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves delivering a malicious tar archive to an application that uses this library; the attacker does not gain code execution but can cause misinterpretation of file sizes, potentially leading to incorrect processing or errors. Because the flaw only affects archive parsing, it does not directly enable arbitrary code execution or denial of service without additional application vulnerabilities.

Generated by OpenCVE AI on March 23, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tar-rs to version 0.4.45 or later.

Generated by OpenCVE AI on March 23, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gchp-q4r4-x4ff tar-rs incorrectly ignores PAX size headers if header size is nonzero
History

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Alexcrichton
Alexcrichton tar-rs
Vendors & Products Alexcrichton
Alexcrichton tar-rs

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.
Title tar-rs incorrectly ignores PAX size headers if header size is nonzero
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Alexcrichton Tar-rs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:44:15.706Z

Reserved: 2026-03-17T18:10:50.213Z

Link: CVE-2026-33055

cve-icon Vulnrichment

Updated: 2026-03-20T15:44:11.127Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T07:16:13.543

Modified: 2026-03-23T15:27:16.467

Link: CVE-2026-33055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:12Z

Weaknesses