CVE-2026-33055 is a vulnerability in the tar-rs Rust crate, a library for reading and writing tar archives. The flaw stems from conditional logic in versions 0.4.44 and earlier that skips processing the PAX size header when the base header size is nonzero. This contrasts with other tar parsers, such as Go's archive/tar, which always honor the PAX size override unconditionally. The inconsistency leads to a type confusion scenario (CWE-843) where archives crafted with differing size headers can be interpreted differently by tar-rs compared to other parsers. This discrepancy can cause files to appear with different sizes or contents depending on the parser used, potentially enabling attackers to craft malicious archives that behave unexpectedly or bypass security checks relying on consistent archive parsing. The vulnerability does not involve direct memory corruption but impacts the integrity and reliability of archive unpacking. It requires user interaction to unpack a malicious archive but no privileges or authentication. The issue was addressed in tar-rs version 0.4.45 by aligning the handling of PAX size headers with other parsers, ensuring consistent interpretation of archive contents.

The primary impact of this vulnerability is on the integrity and consistency of archive unpacking processes in applications using tar-rs. Discrepancies in file size interpretation can lead to unexpected behavior such as overwriting files, bypassing security controls that rely on archive content validation, or causing application logic errors. This can affect software supply chains, automated deployment pipelines, or any Rust-based systems that consume tar archives. While it does not directly lead to remote code execution or privilege escalation, the inconsistency can be leveraged in complex attack scenarios involving crafted archives to disrupt operations or evade detection. Organizations relying on tar-rs for critical archive processing may experience data integrity issues or operational disruptions. Since no known exploits are reported, the immediate risk is moderate, but the potential for misuse exists especially in environments where archive integrity is critical.

The definitive mitigation is to upgrade all instances of the tar-rs crate to version 0.4.45 or later, where the handling of PAX size headers is corrected. Developers should audit their Rust dependencies to identify usage of tar-rs and ensure timely updates. Additionally, organizations should implement strict validation and sanitization of tar archives before processing, including verifying archive consistency across multiple parsers if feasible. Employing sandboxing or running archive extraction in isolated environments can limit potential damage from malformed archives. Monitoring for unusual archive unpacking behaviors or discrepancies in file sizes can help detect exploitation attempts. Finally, educating developers and DevOps teams about this inconsistency will reduce the risk of integrating vulnerable versions into production systems.