CVE-2026-33056: tar-rs: unpack_in can chmod arbitrary directories by following symlinks

Overview

Severity

N/A

Exploit Status

Not Exploited

Patch Tuesday

2026-Mar

Released

2026-03-25

EPSS Score

0.02% (percentile: 4.6%)

Affected Products (9)

Open Source Software

• azl3 kata-containers-cc 3.15.0.aks0-7 on Azure Linux 3.0
• azl3 rust 1.90.0-4 on Azure Linux 3.0
• cbl2 rust 1.72.0-14 on CBL Mariner 2.0
• azl3 rust 1.75.0-25 on Azure Linux 3.0

Other

• 20978-17084
• 20393-17086
• 20394-17086
• 20878-17086
• 20955-17084

Revision History

• 2026-03-25: Information published.