Introduction
The Rust Security Response Team recently addressed a significant vulnerability identified in the third-party tar crate, a critical component used by Cargo for extracting packages during builds. Tracked as CVE-2026-33056, this flaw could allow a malicious crate to alter permissions on arbitrary directories within the filesystem when extracted by Cargo. This article details the vulnerability, the response from the Rust and crates.io teams, and the necessary steps for users to ensure their environments remain secure.
Vulnerability Details
The tar crate, which Cargo relies on to unpack dependency packages, contained a security weakness that enabled an attacker to manipulate file permissions beyond expected limits. Specifically, if a user builds a project that depends on a crafted crate, the extraction process could change permissions on directories outside the intended extraction path. This type of vulnerability poses a serious risk, as it could lead to unauthorized access or system compromise.
The issue was discovered by Sergei Zimmerman, who responsibly reported it to the Rust project ahead of any public disclosure. The vulnerability affects all versions of Cargo that use the unpatched tar crate.
Response and Mitigation
Actions Taken on crates.io
For users of the public crates.io registry, the Rust team acted swiftly. On March 13, 2026, a change was deployed to the registry that prevents the upload of any crate exploiting this vulnerability. Additionally, a thorough audit of all crates ever published to crates.io was conducted. The investigation confirmed that no crates on crates.io are exploiting this issue, providing reassurance to the majority of Rust developers relying on the default registry.
Impact on Alternate Registries
Organizations using private or third-party registries face a different situation. The deployed mitigation on crates.io does not automatically protect users of these registries. The Rust team advises administrators and users of alternate registries to contact the respective registry vendor to verify whether they are vulnerable to CVE-2026-33056.
Upcoming Rust Release
The Rust project will release version 1.94.1 on March 26, 2026. This update includes a patched version of the tar crate, along with other non-security fixes for the Rust toolchain. However, it is important to note that this release solely addresses the vulnerability for users who update their toolchain. Developers sticking with older versions of Cargo and using alternate registries remain at risk until they update or apply alternative mitigations.
Recommendations for Users
- For crates.io users: No immediate action is required beyond ensuring you are on an up-to-date Rust toolchain. The registry-level mitigation prevents exploitation from new uploads.
- For alternate registry users: Reach out to your registry provider to confirm whether they have implemented similar protections. Consider updating to Rust 1.94.1 once it is released.
- General best practices: Always use the latest stable version of Rust and Cargo. Regularly audit your dependencies for known vulnerabilities.
Acknowledgments
The Rust Security Response Team extends thanks to Sergei Zimmerman for discovering the underlying tar crate vulnerability and to William Woodruff for directly assisting the crates.io team with mitigation efforts. Additionally, the following Rust project members contributed to the response: Eric Huss for patching Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce for patching crates.io and analyzing existing crates; Emily Albini and Josh Stone for coordinating the response; and Emily Albini for writing the original security advisory.
This standard informative article serves as a general overview of the vulnerability and the actions taken. For the official advisory, refer to the Rust Security Team's original notice.