Access of Resource Using Incompatible Type ('Type Confusion') Affecting tar package, versions <0.4.46
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Access of Resource Using Incompatible Type ('Type Confusion') vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUST-TAR-17111093
- published31 May 2026
- disclosed29 May 2026
- creditwoodruffw
Introduced: 29 May 2026
New CVE NOT AVAILABLE CWE-843 (opens in a new tab)How to fix?
Upgrade tar to version 0.4.46 or higher.
Overview
tar is a Rust implementation of a TAR file reader and writer. This library does not currently handle compression, but it is abstract over all I/O readers and writers. Additionally, great lengths are taken to ensure that the entire contents are never required to be entirely resident in memory all at once.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') through the EntriesFields::next path in the tar archive reader. An attacker can smuggle files or hide entries by supplying a tar stream that combines PAX x/g headers with GNU L/K extension headers, causing the parser to apply PAX metadata to the wrong record. This causes tar to advance through the archive differently than other tar parsers do, allowing crafted archives to present one file layout to validation or inspection code and a different one to extraction, leaving the user without reliable archive contents or file integrity.