cve-2026-33056

CVE-2026-33056 is a vulnerability in the tar-rs library, a Rust crate used for tar archive extraction. The flaw allows an attacker to craft a malicious tarball that, when extracted, can change permissions on arbitrary directories by following symlinks. This turns a routine extraction operation into a security issue with potential impact beyond the extraction root. The vulnerability affects tar-rs versions 0.4.44 and below and is fixed in version 0.4.45. Microsoft has flagged this issue in its advisories, aligning with the RustSec record. Users and developers relying on tar-rs should upgrade to 0.4.45 or later to mitigate the risk.