Vulnerability in Astral-sh Tokio-tar

CVE-2026-32766

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX…

EPSS: 0.000 (4.4th percentile) — read the EPSS interpretation.

Affected products

Astral-sh Tokio-tar — versions < 0.6.0

Weakness classification (CWE)

CWE-436

References

https://github.com/astral-sh/tokio-tar/security/advisories/GHSA-6gx3-4362-rf54 (x_refsource_CONFIRM)
https://github.com/astral-sh/tokio-tar/commit/e5e0139cae4577eeedf5fc16b65e690bf988ce52 (x_refsource_MISC)