CVE-2026-32766
MEDIUM5.3EPSS 0.02%Insufficient validation of PAX extensions during extraction
Description
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU "long link" extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
Affected packages (3)
- crates.io/astral-tokio-tarfrom 0, < 0.6.0
- crates.io/astral-tokio-tar>= 0.0.0-0, < 0.6.0
- Debian/rust-astral-tokio-tarfrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32766
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-32766
- PATCHhttps://crates.io/crates/astral-tokio-tar
- PATCHhttps://github.com/astral-sh/tokio-tar
- WEBhttps://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52
- WEBhttps://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54
- WEBhttps://rustsec.org/advisories/RUSTSEC-2026-0066.html