CVE-2026-32766
LOW
CVSS 1.7
No EPSS data
Description
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU βlong linkβ extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-32766",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 5.3,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "NONE"
},
"impactScore": 1.4,
"exploitabilityScore": 3.9
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 1.7,
"Automatable": "NOT_DEFINED",
"attackVector": "NETWORK",
"baseSeverity": "LOW",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "UNREPORTED",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"privilegesRequired": "NONE",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "NONE",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-03-20T00:16:18.100",
"references": [
{
"url": "https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52",
"tags": [
"Patch"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-436"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU \u201clong link\u201d extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0."
},
{
"lang": "es",
"value": "astral-tokio-tar es una biblioteca de lectura/escritura de archivos tar para Rust as\u00edncrono. En las versiones 0.5.6 y anteriores, las extensiones PAX malformadas se omit\u00edan silenciosamente al analizar archivos tar. Esta omisi\u00f3n silenciosa (en lugar de rechazo) de extensiones PAX no v\u00e1lidas podr\u00eda usarse como un bloque de construcci\u00f3n para un diferencial de analizador, por ejemplo, omitiendo silenciosamente una extensi\u00f3n GNU 'long link' malformada para que un analizador posterior malinterpretara la extensi\u00f3n. En la pr\u00e1ctica, explotar este comportamiento en astral-tokio-tar requiere un analizador tar secundario con comportamiento incorrecto, es decir, uno que valide insuficientemente las extensiones PAX malformadas y las interprete en lugar de omitirlas o generar un error por ellas. Esta vulnerabilidad se considera de baja gravedad ya que requiere una vulnerabilidad separada contra cualquier analizador tar no relacionado. Este problema ha sido corregido en la versi\u00f3n 0.6.0."
}
],
"lastModified": "2026-04-17T21:09:16.900",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:astral:astral-tokio-tar:*:*:*:*:*:rust:*:*",
"vulnerable": true,
"matchCriteriaId": "725A3E2E-B367-4AE8-AD96-B93A99C035F8",
"versionEndExcluding": "0.6.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}