CVE-2021-33643: An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an cal...
An attacker who submits a crafted tar file with size in header struct being 0 may be able to trigger an calling of malloc(0) for a variable gnu_longlink, causing an out-of-bounds read.
Security readout for executives and security teams
Plain-English summary
CVE-2021-33643 affects libtar before 1.2.21. A crafted tar archive can trigger unsafe memory reading when the archive header size is zero. The likely business risk is limited data exposure or service disruption in systems that process untrusted tar files.
Executive priority
Treat this as a moderate patching item. Prioritize internet-facing or automated archive-processing services first, then standard server fleet updates. There is no provided evidence of active exploitation.
Technical view
The issue is a CWE-125 out-of-bounds read in libtar involving malloc(0) for gnu_longlink when a crafted tar header has size 0. CVSS 3.1 is 6.5, with network attack vector, low complexity, no privileges, no user interaction, low confidentiality impact, and low availability impact.
Likely exposure
Exposure is most likely in applications, services, appliances, or Linux distributions using libtar versions earlier than 1.2.21 and processing tar archives supplied by users, partners, or automated feeds.
Exploitation context
The bundle marks KEV as false, and no provided source states active exploitation. The CVSS vector indicates remote, unauthenticated reachability where a vulnerable service processes attacker-controlled tar archives, but the sources do not provide exploit maturity details.
Researcher notes
Focus validation on libtar call paths that parse GNU longlink entries in attacker-controlled tar archives. The source evidence supports out-of-bounds read, low confidentiality impact, and low availability impact, but does not describe a specific leak primitive, crash condition, or exploit chain.
Mitigation direction
Inventory systems and applications using libtar before 1.2.21.
Apply relevant vendor package updates from Fedora, openEuler, or Debian LTS guidance.
Upgrade embedded or bundled libtar copies to a non-vulnerable release.
Restrict processing of untrusted tar archives until affected components are updated.
Check vendor guidance for platform-specific fixed package versions.
Validation and detection
Confirm installed libtar versions are not earlier than 1.2.21.
Review SBOMs and dependency manifests for bundled libtar copies.
Identify public or partner-facing workflows that ingest tar files.
Verify vendor advisory packages are installed on affected Linux distributions.
Check vulnerability scanner results against actual package and embedded-library versions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.