Description
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Permission Modification
Action: Patch Now
AI Analysis

Impact

The tar-rs library includes a unpack_dir function that performs a metadata check on paths during extraction. Because the check uses fs::metadata(), which follows symbolic links, a malicious tarball that places a symlink entry immediately before a directory entry of the same name allows the extractor to treat the symlink target as a valid directory and apply chmod to it. This flaw permits an attacker to change the permissions of any directory that the symlink points to, even if that directory lies outside the intended extraction root. The vulnerability enables unauthorized modification of directory permissions, potentially facilitating privilege escalation or further compromise of the host system.

Affected Systems

The affected library is tar-rs, maintained by alexcrichton. Vulnerable versions include 0.4.44 and all earlier releases. The component is used in Rust projects that perform tar archive extraction.

Risk and Exploitability

The CVSS base score is 5.1, indicating moderate severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivering a crafted tar archive to a process that uses tar-rs for extraction, which is typically via software that accepts user-supplied archives. While the risk is moderate, the lack of widespread public exploitation and the dependency on a malicious tarball make immediate internal patching a prudent measure.

Generated by OpenCVE AI on March 24, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tar-rs to version 0.4.45 or later.
  • If upgrading is not immediately feasible, block or sanitize untrusted tar archives until a patch is applied.

Generated by OpenCVE AI on March 24, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j4xf-2g29-59ph tar-rs `unpack_in` can chmod arbitrary directories by following symlinks
Ubuntu USN Ubuntu USN USN-8138-1 tar-rs vulnerability
Ubuntu USN Ubuntu USN USN-8139-1 cargo-c vulnerability
Ubuntu USN Ubuntu USN USN-8168-1 Rust vulnerability
Ubuntu USN Ubuntu USN USN-8168-2 Rust vulnerability
Ubuntu USN Ubuntu USN USN-8138-2 tar-rs vulnerability
History

Tue, 24 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tar Project
Tar Project tar
CPEs cpe:2.3:a:tar_project:tar:*:*:*:*:*:rust:*:*
Vendors & Products Tar Project
Tar Project tar
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Fri, 20 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Alexcrichton
Alexcrichton tar-rs
Vendors & Products Alexcrichton
Alexcrichton tar-rs

Fri, 20 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Title tar-rs: unpack_in can chmod arbitrary directories by following symlinks
Weaknesses CWE-61
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Alexcrichton Tar-rs
Tar Project Tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T12:59:30.468Z

Reserved: 2026-03-17T18:10:50.213Z

Link: CVE-2026-33056

cve-icon Vulnrichment

Updated: 2026-03-20T12:59:23.475Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:11.603

Modified: 2026-03-24T16:17:11.623

Link: CVE-2026-33056

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T07:11:10Z

Links: CVE-2026-33056 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:11Z

Weaknesses