Cargo Vulnerability FAQ: Understanding the tar Crate Security Issue

This FAQ addresses the recent security advisory concerning a vulnerability in the tar crate used by Cargo. The flaw, identified as CVE-2026-33056, allowed a malicious crate to alter directory permissions during extraction. Below we answer key questions about the issue, mitigation steps, and what users should do.

What is the vulnerability in the tar crate affecting Cargo?

The vulnerability, tracked as CVE-2026-33056, resides in the third-party tar crate that Cargo uses to extract packages during a build. It permits a specially crafted crate to change the permissions on arbitrary directories on the filesystem when extracted. This could potentially allow an attacker to escalate privileges or make sensitive directories writable, leading to further compromise. The flaw was responsibly disclosed by security researcher Sergei Zimmerman to the Rust Security Response Team.

How does the vulnerability work?

The tarworld-writable without user awareness. The vulnerability does not require any special privileges; it exploits a missing validation in the tar crate's permission handling logic.

Has any malicious crate been found exploiting this on crates.io?

No. The crates.io team performed a thorough audit of all crates ever published after deploying a mitigation on March 13th, 2026. They confirmed that no crates on crates.io currently exploit or have ever exploited this vulnerability. The public registry remains safe for users. This proactive auditing ensured that the attack vector was never utilized in the wild within the ecosystem.

What actions were taken on crates.io to prevent exploitation?

On March 13th, the crates.io team implemented a change that prevents uploading crates that could exploit this vulnerability. This was a server-side validation that blocks any tar archive with suspicious permission entries. Additionally, the team audited the entire historical database of crates to ensure no previously published crate contained malicious permission changes. Contributors Tobias Bieniek, Adam Harvey, and Walter Pearce led the patching and analysis of existing crates.

What should users of alternate registries do?

If you use a private registry or an alternative crate repository, you should contact the vendor of that registry immediately to verify whether they have applied mitigations. The Rust team's fix for Cargo (via a patched tar crate) will only protect users who update to Rust 1.94.1 or later. However, even with the update, older versions of Cargo that download crates from alternate registries may remain vulnerable if the registry itself does not block malicious uploads. Registry administrators are urged to adopt similar validation checks.

When will the patched version of Rust be released?

The Rust team announced that Rust 1.94.1 will be released on March 26th, 2026. This release includes an update to the tar crate that fixes the vulnerability, along with other non-security improvements to the Rust toolchain. Users are encouraged to update as soon as it becomes available. Note that this patch only protects Cargo itself; alternate registries must independently ensure they reject malicious crates.

Who discovered and helped fix this vulnerability?

The discovery was made by Sergei Zimmerman, who responsibly disclosed the underlying tar crate vulnerability to the Rust project. William Woodruff directly assisted the crates.io team with mitigation measures. Within the Rust project, Eric Huss patched Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce worked on the crates.io side; and Emily Albini and Josh Stone coordinated the overall response. Emily Albini also authored the advisory. Their coordinated efforts ensured a swift and comprehensive fix.