FIND-20260408-004 · 2026-04-08 · Innovation Veille

CVE-2026-33055 + CVE-2026-33056 — Rust tar-rs archive vulnerabilities (fixed in Rust 1.94.1)

cve MEDIUM
Two CVEs affect the Rust tar-rs crate (<=0.4.44): CVE-2026-33055 (CVSS 5.1, Medium) is a parser differential bug where tar-rs ignores PAX size override headers, allowing archive smuggling past upstream validators. CVE-2026-33056 allows a malicious tarball to chmod arbitrary directories outside the extraction root by following symlinks. Both fixed in tar-rs 0.4.45. Rust 1.94.1 (released March 26, 2026) ships the patched version. ODS last-versions.json shows rust=1.94.1, so the toolchain is already updated. However, ODS Rust services must be rebuilt with the updated toolchain, and Cargo.lock files should be audited to confirm tar dependency is <=0.4.44 is not present.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services (billing-engine, docstore, pdf-engine, oid, etc.) that use Cargo with archive processing. If any service accepts user-uploaded tar/zip archives or uses cargo to download crates (e.g. in CI), they were potentially vulnerable. Rebuild all services with Rust 1.94.1. Run cargo update in each service to pull tar 0.4.45+.

Security Review

License: MIT OR Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve rust tar supply-chain archive-smuggling symlink cargo patched
Generated by ODS Innovation Veille · 2026-04-08T02:43:44+00:00