Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
More information is available at https://www.cve.org/CVERecord?id=CVE-2026-33056. This flaw is fixed in version 0.4.45 of the tar crate. Updates for rust-tar-0.4.45 are in testing for all Fedora and EPEL branches, and buildroot overrides are active. Therefore, you can fix this in Fedora at any time by simply rebuilding libkrun. I’m not going to do that now because rust-sig is not a co-maintainer, but I can do it as provenpackager if you ask me to. In RHEL, where the package uses vendored Rust crate dependencies, you would need to fix this separately within the package’s dependency bundle.
The rust-tar crate is pulled by libkrun's aws-nitro, but this feature is currently not built-in in Fedora. Cargo doesn't seem to be aware of the dependencies that are gated out behind built-time features, which is probably why it still appears in the dependency graph.