CVE-2026-32766

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by having astral-tokio-tar silently skip a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension.

In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. Consequently this advisory is considered low-severity within astral-tokio-tar itself, as it requires a separate vulnerability against any unrelated tar parser.

Versions 0.6.0 and newer of astral-tokio-tar reject invalid PAX extensions, rather than silently skipping them.

Users are advised to upgrade to version 0.6.0 or newer to address this advisory.

Most users should experience no breaking changes as a result of the patch above. Some users who attempt to extract poorly constructed tar files may experience errors; users should re-construct their tar files with a conforming tar parser.