The Rust Security Response Team disclosed CVE-2026-33056, a vulnerability in the third-party tar crate used by Cargo that allows malicious crates to change permissions on arbitrary directories during extraction. The crates.io registry has been patched and audited, with no exploitation found, and Rust 1.94.1 will be released with a fix. Users of alternate registries should verify with their vendors, as older Cargo versions remain vulnerable.
Background
Cargo is Rust's package manager and build system, responsible for downloading and extracting dependencies from registries like crates.io. The tar crate is a widely used Rust library for handling tar archives.
- Source
- Lobsters
- Published
- Mar 22, 2026 at 03:12 PM
- Score
- 8.0 / 10