Security Advisory for Cargo
24 views
Skip to first unread message
Emily Albini
Mar 21, 2026, 9:13:13 AM (5 days ago) Mar 21
to rustlang-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
# Security Advisory for Cargo
The Rust Security Response Team was notified of a vulnerability in the
third-party crate [`tar`], used by Cargo to extract packages during a build.
The vulnerability, tracked as [CVE-2026-33056], allows a malicious crate to
change the permissions on arbitrary directories on the filesystem when Cargo
extracts it during a build.
For users of the public crates.io registry, we deployed a change on March 13th
to prevent uploading crates exploiting this vulnerability, and we audited all
crates ever published. We can confirm that no crates on crates.io are
exploiting this.
For users of alternate registries, please contact the vendor of your registry
to verify whether you are affected by this. The Rust team will release Rust
1.94.1 on March 26th, 2026, updating to a patched version of the `tar` crate
(along with other non-security fixes for the Rust toolchain), but that won't
protect users of older versions of Cargo using alternate registries.
We'd like to thank Sergei Zimmerman for discovering the underlying [`tar`]
crate vulnerability and notifying the Rust project ahead of time, and William
Woodruff for directly assisting the crates.io team with the mitigations. We'd
also like to thank the Rust project members involved in this advisory: Eric
Huss for patching Cargo; Tobias Bieniek, Adam Harvey and Walter Pearce for
patching crates.io and analyzing existing crates; Emily Albini and Josh Stone
for coordinating the response; and Emily Albini for writing this advisory.
[`tar`]: https://crates.io/crates/tar
[CVE-2026-33056]: https://www.cve.org/CVERecord?id=CVE-2026-33056
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmm+l9YACgkQ77mGCudS
DayS2hAAg2fQ2fV/o6CSti+EHCRhfAGl6brIO+aXMnpA5VYuXh7rcEiME5Dy11Pw
5HsFtsRSW6rT2o5scdoLM7ugWjqSBNhAWDdFxOfRRzIP0/8+aA5H/YXWLI+ZnyZL
EerxNEtAaF1K0r9KQnv7kMrsBSMQfCvu586DDJgtn+0mNNZJB07qAd383lw6EXS0
Kw860lGqVFwg3d1p2AjfvF9ZV0BfuZzjCtdKa/Zfp/3Az4/ic5MMK478F2Ea2e7E
Syy2gjcgYBrr4mnuU4LoSe9QMm0Vt0MO1l9DsJogvs/7ykuAZE16qWyFfyMGCnVV
ih7RirkWXVt0JWZXKg4AzCIm9GYgEwZBSI5n0SdTj6zSbi4c156dY1AxniCrdxZp
woS40W1I2xHKHlTP5PgXUbjf5FdwkNijCarDDKFBQ+KwGcgQip/KYeUqjPPhLljq
Yl6ZGaPj7U1Lk6ap/NhoOH9vif/Mn9Qq5RoWHDj0QvhYMDKAhI4RVNknLJYKTn6h
tq3mHyeRgoM6Afo52WdKtgYR0tDOoxfr7AFXBpn9ZOYvCY9WGgOOCGSXSmXt7pbe
mi6Bd2fXvOjhcpOP4xzQwNlyPjgYaivBYz+x2uSoosAmcJYvfk38RsffZ34L95Sj
hAnp0oTpcF7XqT7g4ScI7yUkzBdtVqKcBFZzrPoiyG5iy3uUgvM=
=OiiR
-----END PGP SIGNATURE-----
Hash: SHA512
# Security Advisory for Cargo
The Rust Security Response Team was notified of a vulnerability in the
third-party crate [`tar`], used by Cargo to extract packages during a build.
The vulnerability, tracked as [CVE-2026-33056], allows a malicious crate to
change the permissions on arbitrary directories on the filesystem when Cargo
extracts it during a build.
For users of the public crates.io registry, we deployed a change on March 13th
to prevent uploading crates exploiting this vulnerability, and we audited all
crates ever published. We can confirm that no crates on crates.io are
exploiting this.
For users of alternate registries, please contact the vendor of your registry
to verify whether you are affected by this. The Rust team will release Rust
1.94.1 on March 26th, 2026, updating to a patched version of the `tar` crate
(along with other non-security fixes for the Rust toolchain), but that won't
protect users of older versions of Cargo using alternate registries.
We'd like to thank Sergei Zimmerman for discovering the underlying [`tar`]
crate vulnerability and notifying the Rust project ahead of time, and William
Woodruff for directly assisting the crates.io team with the mitigations. We'd
also like to thank the Rust project members involved in this advisory: Eric
Huss for patching Cargo; Tobias Bieniek, Adam Harvey and Walter Pearce for
patching crates.io and analyzing existing crates; Emily Albini and Josh Stone
for coordinating the response; and Emily Albini for writing this advisory.
[`tar`]: https://crates.io/crates/tar
[CVE-2026-33056]: https://www.cve.org/CVERecord?id=CVE-2026-33056
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAmm+l9YACgkQ77mGCudS
DayS2hAAg2fQ2fV/o6CSti+EHCRhfAGl6brIO+aXMnpA5VYuXh7rcEiME5Dy11Pw
5HsFtsRSW6rT2o5scdoLM7ugWjqSBNhAWDdFxOfRRzIP0/8+aA5H/YXWLI+ZnyZL
EerxNEtAaF1K0r9KQnv7kMrsBSMQfCvu586DDJgtn+0mNNZJB07qAd383lw6EXS0
Kw860lGqVFwg3d1p2AjfvF9ZV0BfuZzjCtdKa/Zfp/3Az4/ic5MMK478F2Ea2e7E
Syy2gjcgYBrr4mnuU4LoSe9QMm0Vt0MO1l9DsJogvs/7ykuAZE16qWyFfyMGCnVV
ih7RirkWXVt0JWZXKg4AzCIm9GYgEwZBSI5n0SdTj6zSbi4c156dY1AxniCrdxZp
woS40W1I2xHKHlTP5PgXUbjf5FdwkNijCarDDKFBQ+KwGcgQip/KYeUqjPPhLljq
Yl6ZGaPj7U1Lk6ap/NhoOH9vif/Mn9Qq5RoWHDj0QvhYMDKAhI4RVNknLJYKTn6h
tq3mHyeRgoM6Afo52WdKtgYR0tDOoxfr7AFXBpn9ZOYvCY9WGgOOCGSXSmXt7pbe
mi6Bd2fXvOjhcpOP4xzQwNlyPjgYaivBYz+x2uSoosAmcJYvfk38RsffZ34L95Sj
hAnp0oTpcF7XqT7g4ScI7yUkzBdtVqKcBFZzrPoiyG5iy3uUgvM=
=OiiR
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages