Critical Vulnerability in Third-Party Tar Crate Affects Rust's Cargo Package Manager

<h2>Overview of the Security Issue</h2> <p>On March 13, 2026, the Rust Security Response Team disclosed a significant vulnerability involving a third-party crate named <strong>tar</strong>, which is used internally by Cargo to extract packages during builds. Tracked as <strong>CVE-2026-33056</strong>, this flaw could allow a maliciously crafted crate to alter the permissions of arbitrary directories on the file system when Cargo processes it.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Critical Vulnerability in Third-Party Tar Crate Affects Rust&#039;s Cargo Package Manager" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure> <h2>How the Vulnerability Works</h2> <p>The <em>tar</em> crate provides functionality for reading and writing TAR archives. Cargo relies on it to unpack dependencies from registries. The vulnerability arises from improper handling of certain archive entries, enabling an attacker to set directory permissions to unintended values—potentially opening the door to privilege escalation or file corruption if the build environment is shared or automated.</p> <h2>Mitigation Steps Taken by the Rust Team</h2> <p>Upon notification, the team acted swiftly. For the official <strong>crates.io</strong> registry, a <strong>deployment change on March 13</strong> prevented any new uploads that could exploit the vulnerability. Additionally, a comprehensive audit of all crates ever published to crates.io was conducted. The audit confirmed that <strong>no crate on crates.io</strong> has been used to exploit this flaw.</p> <h3>What This Means for Users of Different Registries</h3> <p>If you rely solely on <a href="#cratesio-users">crates.io</a>, you are not affected by any known exploitation. However, users of <strong>alternate registries</strong> (e.g., private enterprise repositories or other public indices) should contact the vendor of that registry to determine whether they have applied similar protections.</p> <h2>Upcoming Rust Release and Patching Timeline</h2> <p>The Rust project will release <strong>Rust 1.94.1 on March 26, 2026</strong>, which includes a patched version of the <em>tar</em> crate along with other non-security fixes. This update will protect users who upgrade their toolchain. However, <strong>users running older versions of Cargo</strong> (especially those on alternate registries) will remain at risk unless they obtain the patched <em>tar</em> crate through other means.</p> <h2>Recognition for Discoverers and Contributors</h2> <p>The Rust Security Response Team extended its gratitude to <strong>Sergei Zimmerman</strong> for discovering the underlying <em>tar</em> crate vulnerability and responsibly disclosing it ahead of time. <strong>William Woodruff</strong> directly assisted the crates.io team with implementing mitigations. Internal Rust project members also contributed: Eric Huss patched Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce worked on crates.io and analyzed existing crates; Emily Albini and Josh Stone coordinated the response; and Emily Albini authored the advisory.</p> <h2 id="cratesio-users">Guidance for crates.io Users</h2> <p>If you are a user of the public crates.io registry, no immediate action is required beyond ensuring you apply the <strong>Rust 1.94.1</strong> update when it becomes available. The mitigation already in place on the server side means that even if you use an older Cargo version, you cannot download a malicious crate that exploits this vulnerability from crates.io.</p> <h2>Best Practices for Security-Conscious Developers</h2> <ul> <li><strong>Always keep your Rust toolchain up to date.</strong> New releases often contain security fixes like this one.</li> <li><strong>If you operate an alternate registry</strong>, verify that it has deployed the same upload-time checks or at least updated the <em>tar</em> dependency.</li> <li><strong>Audit your own crate dependencies</strong> for any packages that may have been published before the mitigation date.</li> <li>Monitor <strong>Rust security advisories</strong> for future vulnerabilities and patches.</li> </ul> <h2>Conclusion</h2> <p>The CVE-2026-33056 vulnerability highlights the importance of supply-chain security in the Rust ecosystem. Thanks to early detection and coordinated response, the impact on crates.io users has been neutralized. By staying informed and applying patches promptly, the community continues to maintain a strong security posture.</p>