CVE-2026-33055: tar-rs incorrectly ignores PAX size headers if header size is nonzero

Overview

Severity

N/A

Exploit Status

Not Exploited

Patch Tuesday

2026-Mar

Released

2026-03-25

Last Updated

2026-04-29

EPSS Score

0.02% (percentile: 4.0%)

Affected Products (17)

Open Source Software

• cbl2 kata-containers 3.2.0.azl2-7 on CBL Mariner 2.0
• cbl2 kata-containers-cc 3.2.0.azl2-8 on CBL Mariner 2.0
• azl3 kata-containers-cc 3.15.0.aks0-7 on Azure Linux 3.0
• cbl2 rpm-ostree 2022.1-8 on CBL Mariner 2.0
• azl3 rust 1.75.0-25 on Azure Linux 3.0
• azl3 trident 0.21.0-1 on Azure Linux 3.0
• azl3 kata-containers-cc 3.15.0.aks0-8 on Azure Linux 3.0
• cbl2 rust 1.72.0-15 on CBL Mariner 2.0
• azl3 rust 1.75.0-27 on Azure Linux 3.0
• azl3 rust 1.90.0-6 on Azure Linux 3.0
• cbl2 rust 1.72.0-14 on CBL Mariner 2.0
• azl3 rpm-ostree 2024.4-6 on Azure Linux 3.0
• azl3 rust 1.90.0-4 on Azure Linux 3.0
• azl3 rpm-ostree 2024.4-8 on Azure Linux 3.0

Other

• 21254-17084
• 21255-17084
• 21223-17084

Revision History

• 2026-03-25: Information published.
• 2026-03-31: Information published.
• 2026-04-14: Information published.
• 2026-04-15: Information published.
• 2026-04-19: Information published.
• 2026-04-20: Information published.
• 2026-04-29: Information published.
• 2026-04-29: Information published.