The vulnerability CVE-2026-33056 affects the tar-rs Rust library, specifically versions 0.4.44 and earlier. The tar-rs library is used for reading and writing tar archives in Rust applications. The root cause lies in the unpack_dir function, which attempts to verify if a path already exists as a directory by calling fs::metadata(). However, fs::metadata() follows symbolic links rather than inspecting the symlink itself. An attacker can craft a tarball containing a symbolic link entry followed by a directory entry with the same name. When unpack_dir processes this tarball, it interprets the symlink target as an existing directory and applies chmod operations to it. This unintended behavior allows the attacker to modify permissions of arbitrary directories outside the extraction root, potentially altering access controls on sensitive system directories or files. The vulnerability does not require any privileges or authentication but does require the victim to unpack a malicious tar archive. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction. No known exploits have been reported in the wild as of the publication date. The issue was addressed in tar-rs version 0.4.45 by correcting the directory existence check to avoid following symlinks improperly.

This vulnerability can lead to unauthorized modification of directory permissions outside the intended extraction directory, potentially weakening system security controls. If exploited, an attacker could escalate privileges indirectly by making sensitive directories writable or executable, facilitating further attacks such as code execution or data tampering. The impact is particularly significant for applications that automatically unpack tar archives from untrusted sources or in automated CI/CD pipelines. While the vulnerability does not directly allow code execution or data disclosure, the permission changes can be leveraged as part of a broader attack chain. Organizations using Rust applications or libraries that depend on tar-rs for archive extraction are at risk, especially if they process untrusted tar files. The lack of authentication and low attack complexity increase the risk, but the requirement for user interaction (unpacking the archive) limits remote exploitation scenarios. No known active exploitation reduces immediate risk but patching is critical to prevent future attacks.

The primary mitigation is to upgrade the tar-rs library to version 0.4.45 or later, where the vulnerability is fixed. For organizations unable to upgrade immediately, consider implementing strict validation and sanitization of tar archives before unpacking, including rejecting archives containing symbolic links or entries with conflicting names. Employ sandboxing or containerization for processes that unpack archives to limit the impact of potential permission changes. Monitor file system permissions on critical directories for unexpected changes. Additionally, restrict the sources of tar archives to trusted parties and educate users about the risks of unpacking untrusted archives. Incorporate static or dynamic analysis tools to detect usage of vulnerable tar-rs versions in codebases. Finally, maintain up-to-date backups to recover from any unintended permission modifications.