Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
Astral Tokio Tar: Malformed Tar Archives Can Cause Errors
GHSA-6gx3-4362-rf54
CVE-2026-32766
GHSA-6gx3-4362-rf54
Summary
Astral Tokio Tar, a tool for working with tar archives, does not properly check for errors in some parts of the archive. This could potentially lead to errors if a user tries to extract a poorly constructed tar file, but only if they use a different tool that doesn't properly handle errors either. To fix this, update Astral Tokio Tar to the latest version, which rejects invalid archive parts instead of ignoring them.
What to do
- Update astral-tokio-tar to version 0.6.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | astral-tokio-tar | <= 0.6.0 | 0.6.0 |
| – | astral-tokio-tar | <= 0.5.6 | 0.6.0 |
Original title
astral-tokio-tar insufficiently validates PAX extensions during extraction
Original description
## Impact
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension.
In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.
## Patches
Versions 0.6.0 and newer of astral-tokio-tar reject invalid PAX extensions, rather than silently skipping them.
## Workarounds
Users are advised to upgrade to version 0.6.0 or newer to address this advisory.
Most users should experience no breaking changes as a result of the patch above. Some users who attempt to extract poorly constructed tar files may experience errors; users should re-construct their tar files with a conforming tar parser.
## Attribution
- Sergei Zimmerman (@xokdvium)
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension.
In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.
## Patches
Versions 0.6.0 and newer of astral-tokio-tar reject invalid PAX extensions, rather than silently skipping them.
## Workarounds
Users are advised to upgrade to version 0.6.0 or newer to address this advisory.
Most users should experience no breaking changes as a result of the patch above. Some users who attempt to extract poorly constructed tar files may experience errors; users should re-construct their tar files with a conforming tar parser.
## Attribution
- Sergei Zimmerman (@xokdvium)
Vulnerability type
CWE-436
Published: 17 Mar 2026 · Updated: 20 Mar 2026 · First seen: 17 Mar 2026