5 Critical Facts About the Cargo/tar Vulnerability: What Rust Users Must Know

If you use Rust and Cargo for building projects, a recently discovered security flaw in the tar crate could put your system at risk. The vulnerability, officially tracked as CVE-2026-33056, allows a malicious crate to change permissions on arbitrary directories during extraction. This advisory breaks down everything you need to know—from the technical details to the fixes already rolling out. Stay informed and protect your environment.

1. Vulnerability Details: How the tar Crate Exploit Works

The Rust Security Response Team received a report about a flaw in the third-party tar crate, which Cargo uses to extract packages during builds. The exploit leverages a path traversal technique combined with permission manipulation. When Cargo decompresses a specially crafted tarball, an attacker can alter the permissions of any directory on the filesystem—not just within the build directory. This means a malicious crate could escalate privileges or tamper with critical system folders. The vulnerability exists due to insufficient validation of symbolic links and permission headers inside the archive. Thankfully, the attack surface is limited to the extraction step, but the consequences can be severe if an unpatched version is used with untrusted crates from any registry.

2. Impact on crates.io: No Exploitation Found, But Mitigations Deployed

The official crates.io registry took immediate action. On March 13th, 2026, the team deployed a server-side change that blocks uploads of crates attempting to exploit this vulnerability. In addition, they conducted a thorough audit of every crate ever published to the registry. The good news: no crate on crates.io currently contains the exploit. This proactive measure means ordinary users pulling code from the public registry are safe. However, the registry now enforces stricter checks on tarball structures, rejecting suspicious permission entries. This adds an extra layer of safety beyond the upcoming Cargo patch.

3. What Users of Alternate Registries Need to Do Right Now

If you rely on a private or alternate registry (such as a corporate mirror or a third-party index), the situation is different. crates.io’s mitigations do not extend to those systems. You should immediately contact your registry vendor to ask whether they have implemented similar protections. Without a patched version of Cargo, older Rust toolchains (before 1.94.1) remain vulnerable when downloading from unmoderated registries. A suggested workaround is to temporarily verify the integrity of each crate manually or use a sandboxing tool like Docker for builds. The Rust team emphasizes that the upcoming release won’t help users stuck on older Cargo versions using alternate registries—so upgrading the whole toolchain is strongly recommended.

4. The Upcoming Fix: Rust 1.94.1 and Patched tar Crate

On March 26th, 2026, the Rust project will release version 1.94.1 of the compiler toolchain. This update includes a patched copy of the tar crate that closes CVE-2026-33056. The fix adds proper validation of permission header fields, rejecting any tarball that attempts to change directory permissions outside the extraction target. Besides the security fix, Rust 1.94.1 also bundles other non-security improvements for the toolchain. Users are advised to update as soon as it becomes available via rustup update stable. Note that this patch protects only new extractions—any damage already done would need to be undone separately. The update is especially critical for CI/CD environments and multi-user systems where permission changes could have cascading effects.

5. Credits: The Team Behind the Discovery and Fix

This coordinated effort highlights the strength of the Rust community. Credit goes to Sergei Zimmerman for discovering the underlying vulnerability in tar and responsibly disclosing it to the Rust Security Response Team ahead of time. William Woodruff directly assisted the crates.io team with designing and deploying the mitigation measures. On the development side, Eric Huss patched Cargo itself, while Tobias Bieniek, Adam Harvey, and Walter Pearce worked on crates.io’s defense and analysis of existing crates. Emily Albini and Josh Stone coordinated the overall response, and Emily Albini also wrote the advisory. The collaborative nature of this response ensures users can trust both the public registry and the upcoming Rust release.

This vulnerability serves as a reminder to always keep your tools up to date and to be cautious when using alternate registries. By following the steps outlined above, you can prevent a malicious crate from compromising your system’s file permissions. Stay safe and keep coding!