Access of Resource Using Incompatible Type ('Type Confusion') Affecting rust-src package, versions <0:1.94.0-1.amzn2.0.2


Severity

Recommended
medium

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.4% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-RUSTSRC-16081191
  • published16 Apr 2026
  • disclosed20 Mar 2026

Introduced: 20 Mar 2026

CVE-2026-33055  (opens in a new tab)
CWE-843  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 rust-src to version 0:1.94.0-1.amzn2.0.2 or higher.
This issue was patched in ALAS2-2026-3246.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-src package and not the rust-src package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue. Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers. This issue has been fixed in version 0.4.45.

CVSS Base Scores

version 3.1