Critical Vulnerability in Third-Party Tar Crate Affects Rust's Cargo Package Manager

Overview of the Security Issue

On March 13, 2026, the Rust Security Response Team disclosed a significant vulnerability involving a third-party crate named tar, which is used internally by Cargo to extract packages during builds. Tracked as CVE-2026-33056, this flaw could allow a maliciously crafted crate to alter the permissions of arbitrary directories on the file system when Cargo processes it.

How the Vulnerability Works

The tar crate provides functionality for reading and writing TAR archives. Cargo relies on it to unpack dependencies from registries. The vulnerability arises from improper handling of certain archive entries, enabling an attacker to set directory permissions to unintended values—potentially opening the door to privilege escalation or file corruption if the build environment is shared or automated.

Mitigation Steps Taken by the Rust Team

Upon notification, the team acted swiftly. For the official crates.io registry, a deployment change on March 13 prevented any new uploads that could exploit the vulnerability. Additionally, a comprehensive audit of all crates ever published to crates.io was conducted. The audit confirmed that no crate on crates.io has been used to exploit this flaw.

What This Means for Users of Different Registries

If you rely solely on crates.io, you are not affected by any known exploitation. However, users of alternate registries (e.g., private enterprise repositories or other public indices) should contact the vendor of that registry to determine whether they have applied similar protections.

Upcoming Rust Release and Patching Timeline

The Rust project will release Rust 1.94.1 on March 26, 2026, which includes a patched version of the tar crate along with other non-security fixes. This update will protect users who upgrade their toolchain. However, users running older versions of Cargo (especially those on alternate registries) will remain at risk unless they obtain the patched tar crate through other means.

Recognition for Discoverers and Contributors

The Rust Security Response Team extended its gratitude to Sergei Zimmerman for discovering the underlying tar crate vulnerability and responsibly disclosing it ahead of time. William Woodruff directly assisted the crates.io team with implementing mitigations. Internal Rust project members also contributed: Eric Huss patched Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce worked on crates.io and analyzed existing crates; Emily Albini and Josh Stone coordinated the response; and Emily Albini authored the advisory.

Guidance for crates.io Users

If you are a user of the public crates.io registry, no immediate action is required beyond ensuring you apply the Rust 1.94.1 update when it becomes available. The mitigation already in place on the server side means that even if you use an older Cargo version, you cannot download a malicious crate that exploits this vulnerability from crates.io.

Best Practices for Security-Conscious Developers

• Always keep your Rust toolchain up to date. New releases often contain security fixes like this one.
• If you operate an alternate registry, verify that it has deployed the same upload-time checks or at least updated the tar dependency.
• Audit your own crate dependencies for any packages that may have been published before the mitigation date.
• Monitor Rust security advisories for future vulnerabilities and patches.

Conclusion

The CVE-2026-33056 vulnerability highlights the importance of supply-chain security in the Rust ecosystem. Thanks to early detection and coordinated response, the impact on crates.io users has been neutralized. By staying informed and applying patches promptly, the community continues to maintain a strong security posture.