The Rust Security Response Team has identified a security flaw in the
third-party tar crate, which Cargo relies upon for package extraction during the build process. This
vulnerability, designated as CVE-2026-33056, creates a potential attack vector where malicious crates could
modify directory permissions across arbitrary filesystem locations during Cargo's extraction
operations.
The crates.io registry team implemented protective measures on March 13th to block uploads of crates attempting to exploit this security issue. A comprehensive audit of the entire historical crate repository has been completed, confirming that no published packages on crates.io have leveraged this vulnerability.
Organizations utilizing alternative registry providers should reach out to their respective
vendors to assess potential exposure to this security issue. The Rust team has scheduled the
release of Rust 1.94.1 for March 26th, 2026, which will incorporate a remediated version of the tar crate alongside
additional toolchain improvements. However, this update will not provide retroactive protection
for users running legacy Cargo versions against alternate registries.
The team extends gratitude to Sergei Zimmerman for identifying the underlying tar crate
security flaw and providing advance notification to the Rust project, as well as to William Woodruff
for his direct collaboration with the crates.io team on mitigation strategies. Recognition is also due
to the Rust project contributors who managed this advisory: Eric Huss for
implementing the Cargo patch; Tobias Bieniek, Adam Harvey and Walter Pearce for
securing crates.io and conducting the crate analysis; Emily Albini and Josh Stone for
orchestrating the security response; and Emily Albini for
authoring this advisory.
