Vulnerability-Lookup

CVE-2026-32766 (GCVE-0-2026-32766)

Vulnerability from cvelistv5 – Published: 2026-03-20 00:07 – Updated: 2026-03-20 18:09

Title

astral-tokio-tar insufficiently validates PAX extensions during extraction

Summary

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.

Severity ?

1.7 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

CWE

CWE-436 - Interpretation Conflict

Assigner

GitHub_M

References

URL

Tags

	https://github.com/astral-sh/tokio-tar/security/a…	x_refsource_CONFIRM
	https://github.com/astral-sh/tokio-tar/commit/e5e…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	astral-sh	tokio-tar	Affected: < 0.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32766",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:56:46.912673Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:09:06.340Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tokio-tar",
          "vendor": "astral-sh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 1.7,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-436",
              "description": "CWE-436: Interpretation Conflict",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T00:07:36.444Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54"
        },
        {
          "name": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52"
        }
      ],
      "source": {
        "advisory": "GHSA-6gx3-4362-rf54",
        "discovery": "UNKNOWN"
      },
      "title": "astral-tokio-tar insufficiently validates PAX extensions during extraction"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32766",
    "datePublished": "2026-03-20T00:07:36.444Z",
    "dateReserved": "2026-03-13T18:53:03.533Z",
    "dateUpdated": "2026-03-20T18:09:06.340Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32766\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T00:16:18.100\",\"lastModified\":\"2026-03-20T13:37:50.737\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.\"},{\"lang\":\"es\",\"value\":\"astral-tokio-tar es una biblioteca de lectura/escritura de archivos tar para Rust as\u00edncrono. En las versiones 0.5.6 y anteriores, las extensiones PAX malformadas se omit\u00edan silenciosamente al analizar archivos tar. Esta omisi\u00f3n silenciosa (en lugar de rechazo) de extensiones PAX no v\u00e1lidas podr\u00eda usarse como un bloque de construcci\u00f3n para un diferencial de analizador, por ejemplo, omitiendo silenciosamente una extensi\u00f3n GNU \u0027long link\u0027 malformada para que un analizador posterior malinterpretara la extensi\u00f3n. En la pr\u00e1ctica, explotar este comportamiento en astral-tokio-tar requiere un analizador tar secundario con comportamiento incorrecto, es decir, uno que valide insuficientemente las extensiones PAX malformadas y las interprete en lugar de omitirlas o generar un error por ellas. Esta vulnerabilidad se considera de baja gravedad ya que requiere una vulnerabilidad separada contra cualquier analizador tar no relacionado. Este problema ha sido corregido en la versi\u00f3n 0.6.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"references\":[{\"url\":\"https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32766\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:56:46.912673Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:56:50.716Z\"}}], \"cna\": {\"title\": \"astral-tokio-tar insufficiently validates PAX extensions during extraction\", \"source\": {\"advisory\": \"GHSA-6gx3-4362-rf54\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 1.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"astral-sh\", \"product\": \"tokio-tar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54\", \"name\": \"https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52\", \"name\": \"https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \\u201clong link\\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-436\", \"description\": \"CWE-436: Interpretation Conflict\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T00:07:36.444Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32766\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T18:09:06.340Z\", \"dateReserved\": \"2026-03-13T18:53:03.533Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T00:07:36.444Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

rustsec-2026-0066

Vulnerability from osv_rustsec

Published

2026-03-17 12:00

Modified

2026-03-23 09:31

Summary

Insufficient validation of PAX extensions during extraction

Details

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU "long link" extension so that a subsequent parser would misinterpret the extension.

In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser.

This issue has been fixed in version 0.6.0.

Severity

1.7 (Low)


                    
                      CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

URL

Type

	https://crates.io/crates/astral-tokio-tar	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2026-0066.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "astral-tokio-tar",
        "purl": "pkg:cargo/astral-tokio-tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-6gx3-4362-rf54",
    "CVE-2026-32766"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions\nwere silently skipped when parsing tar archives. This silent skipping (rather\nthan rejection) of invalid PAX extensions could be used as a building block for\na parser differential, for example by silently skipping a malformed GNU \"long\nlink\" extension so that a subsequent parser would misinterpret the extension.\n\nIn practice, exploiting this behavior in astral-tokio-tar requires a secondary\nmisbehaving tar parser, i.e. one that insufficiently validates malformed PAX\nextensions and interprets them rather than skipping or erroring on them. This\nvulnerability is considered low-severity as it requires a separate\nvulnerability against any unrelated tar parser.\n\nThis issue has been fixed in version 0.6.0.",
  "id": "RUSTSEC-2026-0066",
  "modified": "2026-03-23T09:31:59Z",
  "published": "2026-03-17T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/astral-tokio-tar"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0066.html"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insufficient validation of PAX extensions during extraction"
}

FKIE_CVE-2026-32766

Vulnerability from fkie_nvd - Published: 2026-03-20 00:16 - Updated: 2026-03-20 13:37

Severity ?

1.7 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52
	security-advisories@github.com	https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0."
    },
    {
      "lang": "es",
      "value": "astral-tokio-tar es una biblioteca de lectura/escritura de archivos tar para Rust as\u00edncrono. En las versiones 0.5.6 y anteriores, las extensiones PAX malformadas se omit\u00edan silenciosamente al analizar archivos tar. Esta omisi\u00f3n silenciosa (en lugar de rechazo) de extensiones PAX no v\u00e1lidas podr\u00eda usarse como un bloque de construcci\u00f3n para un diferencial de analizador, por ejemplo, omitiendo silenciosamente una extensi\u00f3n GNU \u0027long link\u0027 malformada para que un analizador posterior malinterpretara la extensi\u00f3n. En la pr\u00e1ctica, explotar este comportamiento en astral-tokio-tar requiere un analizador tar secundario con comportamiento incorrecto, es decir, uno que valide insuficientemente las extensiones PAX malformadas y las interprete en lugar de omitirlas o generar un error por ellas. Esta vulnerabilidad se considera de baja gravedad ya que requiere una vulnerabilidad separada contra cualquier analizador tar no relacionado. Este problema ha sido corregido en la versi\u00f3n 0.6.0."
    }
  ],
  "id": "CVE-2026-32766",
  "lastModified": "2026-03-20T13:37:50.737",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 1.7,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T00:16:18.100",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

MSRC_CVE-2026-32766

Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-31 15:06

Summary

astral-tokio-tar insufficiently validates PAX extensions during extraction

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-32766

CWE-436 - Interpretation Conflict

None Available There is no fix available for this vulnerability as of now

References

URL

GHSA-6GX3-4362-RF54

Vulnerability from github – Published: 2026-03-17 19:49 – Updated: 2026-03-25 18:35

Summary

astral-tokio-tar insufficiently validates PAX extensions during extraction

Details

Impact

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension.

In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.

Patches

Versions 0.6.0 and newer of astral-tokio-tar reject invalid PAX extensions, rather than silently skipping them.

Workarounds

Users are advised to upgrade to version 0.6.0 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. Some users who attempt to extract poorly constructed tar files may experience errors; users should re-construct their tar files with a conforming tar parser.

Attribution

Sergei Zimmerman (@xokdvium)

Severity ?

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.6"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "astral-tokio-tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:49:35Z",
    "nvd_published_at": "2026-03-20T00:16:18Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nIn versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension.\n\nIn practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.\n\n## Patches\n\nVersions 0.6.0 and newer of astral-tokio-tar reject invalid PAX extensions, rather than silently skipping them. \n\n## Workarounds\n\nUsers are advised to upgrade to version 0.6.0 or newer to address this advisory.\n\nMost users should experience no breaking changes as a result of the patch above. Some users who attempt to extract poorly constructed tar files may experience errors; users should re-construct their tar files with a conforming tar parser.\n\n## Attribution\n\n- Sergei Zimmerman (@xokdvium)",
  "id": "GHSA-6gx3-4362-rf54",
  "modified": "2026-03-25T18:35:40Z",
  "published": "2026-03-17T19:49:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/astral-sh/tokio-tar"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0066.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "astral-tokio-tar insufficiently validates PAX extensions during extraction"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32766 (GCVE-0-2026-32766)

rustsec-2026-0066

Vulnerability from osv_rustsec

FKIE_CVE-2026-32766

MSRC_CVE-2026-32766

GHSA-6GX3-4362-RF54

Impact

Patches

Workarounds

Attribution

Tags

Sightings

Nomenclature