CVE-2026-32766 in tokio-tar
Summary
by MITRE • 03/20/2026
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/23/2026
The astral-tokio-tar library represents a critical component in the Rust ecosystem for handling asynchronous tar archive operations, serving developers who require efficient and reliable archive processing in concurrent environments. This library operates as a foundational element in many Rust applications that depend on tar file manipulation, making its security posture particularly important for the broader software development community. The vulnerability identified in versions 0.5.6 and earlier demonstrates a subtle but significant flaw in the library's approach to handling malformed PAX extensions within tar archives.
The technical flaw manifests in the library's parsing behavior where malformed PAX extensions are silently skipped rather than being rejected with appropriate error handling. This design decision creates a parser differential vulnerability that can be exploited through careful manipulation of archive content. When a PAX extension contains invalid data, the library's current implementation simply ignores it without alerting the calling application to the presence of malformed data. This behavior contrasts with proper security practices that would mandate explicit error handling for malformed inputs, as outlined in CWE-248, which addresses "Uncaught Exception" conditions in software implementations. The silent skipping mechanism creates an inconsistent parsing state that can lead to misinterpretation of archive content by subsequent processing steps.
The operational impact of this vulnerability extends beyond the immediate library functionality, creating potential security implications when combined with other software components. The vulnerability requires a secondary tar parser that inadequately validates PAX extensions to create a meaningful exploit scenario, but this requirement does not diminish its significance in the broader security landscape. Attackers could potentially craft tar archives that appear valid to astral-tokio-tar but contain malicious content that would be interpreted differently by other parsers. This scenario aligns with ATT&CK technique T1027.005, which covers "Obfuscated Files or Information" through the use of malformed file structures to bypass detection mechanisms. The vulnerability essentially creates a form of content manipulation that could be used in sophisticated attacks involving multiple software components.
The remediation approach taken by the developers involved releasing version 0.6.0 with proper error handling for malformed PAX extensions, which represents a standard security fix methodology. This update ensures that the library maintains consistent behavior and provides appropriate feedback when encountering invalid PAX extensions, preventing the creation of parser differentials that could be exploited. The fix addresses the core issue by implementing proper validation and error reporting mechanisms rather than silent data loss, aligning with security best practices for input validation and error handling. Organizations using affected versions should prioritize updating to version 0.6.0 or later to eliminate this vulnerability and maintain the integrity of their tar archive processing pipelines. The vulnerability's low severity classification reflects the requirement for a secondary vulnerability in an unrelated parser, but the potential for exploitation through coordinated attacks makes it a concern that should not be ignored in comprehensive security assessments.