2449371 – (CVE-2026-32766) CVE-2026-32766 astral-tokio-tar: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions

Bug 2449371 (CVE-2026-32766) - CVE-2026-32766 astral-tokio-tar: astral-tokio-tar: Potential archive misinterpretation via malformed PAX extensions

Summary: CVE-2026-32766 astral-tokio-tar: astral-tokio-tar: Potential archive misinter...

Keywords:
Status:	NEW
Alias:	CVE-2026-32766
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2449545 2449546 2449547 2449548 2449549 2449550 2449551 2449552 2449553
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-20 01:02 UTC by OSIDB Bzimport
Modified:	2026-03-20 08:53 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-20 01:02:21 UTC

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.

Note You need to log in before you can comment on or make changes to this bug.