CVE-2026-33056
CVE-2026-33056 is a medium-severity vulnerability in Tar Project Tar with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-61.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 5.1
- EPSS exploit prediction: 0% (30th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13616
- Weakness: CWE-61
- Affected product: Tar Project Tar
- Published:
- Last modified:
Description
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
Frequently asked questions
- What is CVE-2026-33056?
- tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.
- How severe is CVE-2026-33056?
- CVE-2026-33056 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2026-33056 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33056?
- CVE-2026-33056 affects Tar Project Tar. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33056?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-33056 have an EU (EUVD) identifier?
- Yes. CVE-2026-33056 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13616.
- When was CVE-2026-33056 published?
- CVE-2026-33056 was published on 2026-03-20 and last updated on 2026-06-17.
References
- https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446
- https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph
Affected products (1)
- cpe:2.3:a:tar_project:tar:*:*:*:*:*:rust:*:*
More vulnerabilities in Tar Project Tar
- CVE-2021-32804 — High (CVSS 8.2): The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File…
- CVE-2021-32803 — High (CVSS 8.2): The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File…
- CVE-2021-38511 — High (CVSS 7.5): An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction…
- CVE-2018-20990 — High (CVSS 7.5): An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or…
All CVEs affecting Tar Project Tar →
Other CWE-61 vulnerabilities
- CVE-2026-34078 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths…
- CVE-2025-62596 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs…
- CVE-2025-62161 — Critical (CVSS 10.0): Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source…
- CVE-2025-23394 — Critical (CVSS 9.8): A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus…
- CVE-2024-54661 — Critical (CVSS 9.8): readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.
- CVE-2026-55447 — Critical (CVSS 9.6): Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files…