The vulnerability CVE-2026-32766 resides in the astral-tokio-tar library, a Rust-based asynchronous tar archive reader/writer. Versions 0.5.6 and earlier do not properly handle malformed PAX extensions within tar archives; instead of rejecting or erroring on these invalid extensions, the library silently skips them during parsing. This silent skipping can be exploited as part of a parser differential attack, where two different tar parsers interpret the same archive differently. Specifically, if a secondary tar parser does not sufficiently validate malformed PAX extensions and attempts to interpret them, it may misinterpret the archive contents due to the astral-tokio-tar parser skipping these extensions. Such a discrepancy can lead to inconsistent archive processing, potentially causing security issues such as bypassing security checks or triggering unexpected behavior in applications relying on tar parsing. However, exploitation requires the presence of a second vulnerable or misbehaving tar parser, limiting the practical impact. The vulnerability is classified under CWE-436 (Interpretation Conflict) and has been addressed in astral-tokio-tar version 0.6.0. The CVSS 4.0 score is 1.7, reflecting low severity due to the complexity and prerequisite conditions for exploitation. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the potential for inconsistent interpretation of tar archive contents when multiple parsers are involved, which could lead to security bypasses or data integrity issues in systems that rely on tar archives for configuration, deployment, or data exchange. However, since exploitation requires a secondary vulnerable tar parser and malformed archives, the risk to most organizations is low. The vulnerability does not directly lead to remote code execution, privilege escalation, or denial of service. Instead, it could be leveraged as part of a more complex attack chain involving multiple components. Organizations using astral-tokio-tar in environments where tar archives are processed by multiple parsers or tools should be cautious, as this could cause subtle security or operational issues. Overall, the impact is limited but could affect software supply chains, CI/CD pipelines, or container image processing workflows that utilize tar archives and asynchronous Rust tooling.

To mitigate this vulnerability, organizations should upgrade astral-tokio-tar to version 0.6.0 or later, where the issue is fixed by proper validation and rejection of malformed PAX extensions. Additionally, review and audit all tar parsers used in the environment to ensure they correctly validate PAX extensions and do not silently accept malformed data. Implement strict input validation and sanitization for tar archives, especially those from untrusted sources. Where possible, standardize on a single, well-maintained tar parsing library to avoid parser differentials. Incorporate fuzz testing and static analysis tools to detect similar interpretation conflicts in archive handling code. Finally, monitor for any unusual behavior in systems processing tar archives, and maintain up-to-date dependency management practices to quickly apply security patches.