Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
tar-rs: Malicious archives can modify system directory permissions
USN-8138-2
Summary
A weakness in tar-rs, a tool used to extract archives, can be exploited by an attacker to change permissions on system directories. If a user or system extracts a specially crafted archive, it could allow an attacker to gain more access to a system. Update your system to the fixed version to prevent this.
What to do
- Update canonical rust-tar to version 0.4.26-1ubuntu0.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:Pro:20.04:LTS | canonical | rust-tar |
< 0.4.26-1ubuntu0.1 Fix: upgrade to 0.4.26-1ubuntu0.1
|
Original title
rust-tar vulnerability
Original description
USN-8138-1 fixed a vulnerability in tar-rs. This update provides the
corresponding update for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tar-rs incorrectly handled symlinks when unpacking
a tar archive. If a user or automated system were tricked into processing
a specially crafted tar archive, a remote attacker could use this issue to
modify permissions of arbitrary directories outside the extraction root,
and possibly escalate privileges.
corresponding update for Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tar-rs incorrectly handled symlinks when unpacking
a tar archive. If a user or automated system were tricked into processing
a specially crafted tar archive, a remote attacker could use this issue to
modify permissions of arbitrary directories outside the extraction root,
and possibly escalate privileges.
- https://ubuntu.com/security/notices/USN-8138-2 Vendor Advisory
- https://ubuntu.com/security/CVE-2026-33056 Third Party Advisory
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026