CVE-2026-32766

Name of the Vulnerable Software and Affected Versions astral-tokio-tar versions 0.5.6 and earlier

Description astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping, instead of rejection, of invalid PAX extensions could be used to create a parser differential, for example, by silently skipping a malformed GNU “long link” extension so that a subsequent parser would misinterpret the extension. Exploiting this behavior requires a secondary, misbehaving tar parser that insufficiently validates malformed PAX extensions and interprets them instead of skipping or erroring on them. This issue is considered low severity as it requires a separate issue against any unrelated tar parser.

Recommendations Upgrade to version 0.6.0 or newer to address this issue.