CVE-2026-33055

// PoC Concept: Create a tar with conflicting sizes to demonstrate the parsing difference. // This code conceptually generates a tar file where the base header size differs from the PAX header size. use std::io::Cursor; use std::path::PathBuf; // Note: This is a conceptual representation. Exploitation requires constructing raw bytes. fn main() { // 1. Construct a PAX header record specifying a large size (e.g., 100MB) let pax_data = b"50 size=104857600"; // 2. Construct a base header for the same file entry but with a small size (e.g., 10 bytes) // In a real exploit, these bytes are manually crafted to form valid ustar headers. // The vulnerability occurs because tar-rs <= 0.4.44 sees 'size=10' in the base header // and ignores 'size=104857600' in the PAX header. println!("PoC: Constructing tar archive with base_size=10 and pax_size=104857600"); println!("Vulnerable parser (tar-rs < 0.4.44) will report size: 10"); println!("Standard parser (Go tar, etc) will report size: 104857600"); // Impact: Bypass file upload size limits or cause DoS upon extraction. }

{"cve": {"id": "CVE-2026-33055", "sourceIdentifier": "[email protected]", "published": "2026-03-20T07:16:13.543", "lastModified": "2026-03-23T15:27:16.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}, {"lang": "es", "value": "tar-rs es una biblioteca de lectura/escritura de archivos tar para Rust. Las versiones 0.4.44 e inferiores tienen lógica condicional que omite el encabezado de tamaño PAX en los casos en que el tamaño del encabezado base no es cero. Como parte de CVE-2025-62518, el proyecto astral-tokio-tar fue modificado para respetar correctamente los encabezados de tamaño PAX en el caso en que fuera diferente del encabezado base. Esto es casi lo inverso del problema de astral-tokio-tar. Cualquier discrepancia en cómo los analizadores tar respetan el tamaño del archivo puede ser utilizada para crear archivos que aparecen de manera diferente cuando son desempaquetados por diferentes archivadores. En este caso, el 'crate' tar-rs (tar de Rust) es una excepción al verificar el tamaño del encabezado; otros analizadores tar (incluyendo, por ejemplo, Go archive/tar) usan incondicionalmente la anulación de tamaño PAX. Esto puede afectar cualquier cosa que use el 'crate' tar para analizar archivos y espere tener una vista consistente con otros analizadores. Este problema ha sido corregido en la versión 0.4.45."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.4.45", "matchCriteriaId": "6BFF2938-0282-4340-B01B-3B365160D641"}]}]}], "references": [{"url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff" ... (truncated)