CVE-2026-32766: astral-tokio-tar insufficiently validates PAX extensions during extraction
(updated )
In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension.
In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.
References
- github.com/advisories/GHSA-6gx3-4362-rf54
- github.com/astral-sh/tokio-tar
- github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52
- github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54
- nvd.nist.gov/vuln/detail/CVE-2026-32766
- rustsec.org/advisories/RUSTSEC-2026-0066.html
Code Behaviors & Features
Detect and mitigate CVE-2026-32766 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →