Cargo Security Advisory: Directory Permission Vulnerability in Tar Extraction

This Q&A provides detailed information about a recently discovered security vulnerability in Cargo, the Rust package manager. The issue, tracked as CVE-2026-33056, resides in the third-party tar crate and could allow malicious crates to alter directory permissions on a user's filesystem. Below, we address the key aspects of the vulnerability, the actions taken, and what users should do.

1. What vulnerability was discovered affecting Cargo?

The Rust Security Response Team was alerted to a vulnerability in the tar crate, a third-party library used by Cargo to extract package archives during builds. The flaw, formally tracked as CVE-2026-33056, enables a specially crafted malicious crate to change the permissions of arbitrary directories on the filesystem when Cargo extracts it. This could lead to unauthorized modifications to system or user directories, potentially escalating privileges or causing other security issues.

2. How does the vulnerability work?

When Cargo extracts a package, it relies on the tar crate to handle archive decompression. The vulnerability exploits a flaw in how the tar crate processes symbolic links or special entries, allowing an attacker to set directory permissions to arbitrary values. For example, a malicious crate could make a critical directory world-writable or change its ownership. The exploitation occurs during the build process, before any code from the crate is executed, making it a supply-chain risk.

3. What has been done to protect crates.io users?

For users of the public crates.io registry, the Rust team deployed a server-side change on March 13, 2026 to block uploading crates that attempt to exploit this vulnerability. Additionally, a thorough audit of all crates ever published to crates.io was conducted. No crates were found to be actively exploiting this issue. This immediate mitigation ensures that new crate uploads cannot abuse the vulnerability, and existing crates have been verified as safe.

4. What should users of alternate registries do?

If you use an alternate registry (e.g., a private or self-hosted registry), the Rust team recommends contacting the vendor of your registry to verify whether it has implemented similar protections. The upcoming Rust 1.94.1 release will include a patched version of the tar crate, but that only helps users who upgrade to that version and only when using registries that also enforce the fix. Older versions of Cargo using alternate registries may remain vulnerable until the registry itself deploys a mitigation.

5. When will the fix be released?

The Rust team will release Rust 1.94.1 on March 26, 2026. This release includes an updated tar crate with the security fix, along with other non-security patches for the Rust toolchain. Users are strongly encouraged to update to this version as soon as it becomes available. However, note that the update alone does not protect users who rely on alternate registries that have not implemented their own safeguards—those registries must also block exploitation attempts.

6. Who discovered and helped mitigate the vulnerability?

The vulnerability in the underlying tar crate was discovered by Sergei Zimmerman, who responsibly reported it to the Rust project ahead of time. William Woodruff directly assisted the crates.io team with implementing mitigations. Within the Rust project, several members coordinated the response: Eric Huss patched Cargo itself; Tobias Bieniek, Adam Harvey, and Walter Pearce patched crates.io and analyzed existing crates; Emily Albini and Josh Stone coordinated the overall response; and Emily Albini also drafted this advisory.

7. Is there any evidence of exploitation?

After auditing all crates ever published to crates.io, the Rust team can confirm that no crates on crates.io are exploiting this vulnerability. The server-side change deployed on March 13, 2026 also prevents any future uploads from containing such exploits. However, users of alternate registries should verify their own registries' security posture, as the audit only covered the official crates.io registry.