CVE-2026-33055

{"id": "CVE-2026-33055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T07:16:13.543", "references": [{"url": "https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-62518", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45."}, {"lang": "es", "value": "tar-rs es una biblioteca de lectura/escritura de archivos tar para Rust. Las versiones 0.4.44 e inferiores tienen l\u00f3gica condicional que omite el encabezado de tama\u00f1o PAX en los casos en que el tama\u00f1o del encabezado base no es cero. Como parte de CVE-2025-62518, el proyecto astral-tokio-tar fue modificado para respetar correctamente los encabezados de tama\u00f1o PAX en el caso en que fuera diferente del encabezado base. Esto es casi lo inverso del problema de astral-tokio-tar. Cualquier discrepancia en c\u00f3mo los analizadores tar respetan el tama\u00f1o del archivo puede ser utilizada para crear archivos que aparecen de manera diferente cuando son desempaquetados por diferentes archivadores. En este caso, el 'crate' tar-rs (tar de Rust) es una excepci\u00f3n al verificar el tama\u00f1o del encabezado; otros analizadores tar (incluyendo, por ejemplo, Go archive/tar) usan incondicionalmente la anulaci\u00f3n de tama\u00f1o PAX. Esto puede afectar cualquier cosa que use el 'crate' tar para analizar archivos y espere tener una vista consistente con otros analizadores. Este problema ha sido corregido en la versi\u00f3n 0.4.45."}], "lastModified": "2026-03-23T15:27:16.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alexcrichton:tar-rs:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "6BFF2938-0282-4340-B01B-3B365160D641", "versionEndExcluding": "0.4.45"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}