UBUNTU-CVE-2026-33056

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33056

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33056.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-33056

Upstream

CVE-2026-33056

Published

2026-03-20T08:16:00Z

Modified

2026-03-25T17:36:53Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

References

Affected packages

Ubuntu:20.04:LTS / rust-tar

Package

Name: rust-tar
Purl: pkg:deb/ubuntu/rust-tar@0.4.26-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.26-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "librust-tar+default-dev",
            "binary_version": "0.4.26-1"
        },
        {
            "binary_name": "librust-tar-dev",
            "binary_version": "0.4.26-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33056.json"

Ubuntu:Pro:22.04:LTS / rust-tar

Package

Name: rust-tar
Purl: pkg:deb/ubuntu/rust-tar@0.4.37-3ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.26-1

0.4.37-1

0.4.37-3

0.4.37-3ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "librust-tar+default-dev",
            "binary_version": "0.4.37-3ubuntu0.1~esm1"
        },
        {
            "binary_name": "librust-tar-dev",
            "binary_version": "0.4.37-3ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33056.json"

Ubuntu:24.04:LTS / rust-tar

Package

Name: rust-tar
Purl: pkg:deb/ubuntu/rust-tar@0.4.40-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.38-2

0.4.40-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "librust-tar-dev",
            "binary_version": "0.4.40-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33056.json"

Ubuntu:25.10 / rust-tar

Package

Name: rust-tar
Purl: pkg:deb/ubuntu/rust-tar@0.4.43-4?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.43-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "librust-tar-dev",
            "binary_version": "0.4.43-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33056.json"