5 Critical Facts About the Cargo/tar Vulnerability: What Rust Users Must Know
By ● min read
<p>If you use Rust and Cargo for building projects, a recently discovered security flaw in the <code>tar</code> crate could put your system at risk. The vulnerability, officially tracked as CVE-2026-33056, allows a malicious crate to change permissions on arbitrary directories during extraction. This advisory breaks down everything you need to know—from the technical details to the fixes already rolling out. Stay informed and protect your environment.</p>
<h2 id="fact1">1. Vulnerability Details: How the tar Crate Exploit Works</h2>
<p>The Rust Security Response Team received a report about a flaw in the third-party <code>tar</code> crate, which Cargo uses to extract packages during builds. The exploit leverages a path traversal technique combined with permission manipulation. When Cargo decompresses a specially crafted tarball, an attacker can alter the permissions of any directory on the filesystem—not just within the build directory. This means a malicious crate could escalate privileges or tamper with critical system folders. The vulnerability exists due to insufficient validation of symbolic links and permission headers inside the archive. Thankfully, the attack surface is limited to the extraction step, but the consequences can be severe if an unpatched version is used with untrusted crates from any registry.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="5 Critical Facts About the Cargo/tar Vulnerability: What Rust Users Must Know" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure>
<h2 id="fact2">2. Impact on crates.io: No Exploitation Found, But Mitigations Deployed</h2>
<p>The official <a href="https://crates.io/">crates.io</a> registry took immediate action. On March 13th, 2026, the team deployed a server-side change that blocks uploads of crates attempting to exploit this vulnerability. In addition, they conducted a thorough audit of every crate ever published to the registry. The good news: no crate on crates.io currently contains the exploit. This proactive measure means ordinary users pulling code from the public registry are safe. However, the registry now enforces stricter checks on tarball structures, rejecting suspicious permission entries. This adds an extra layer of safety beyond the upcoming Cargo patch.</p>
<h2 id="fact3">3. What Users of Alternate Registries Need to Do Right Now</h2>
<p>If you rely on a private or alternate registry (such as a corporate mirror or a third-party index), the situation is different. crates.io’s mitigations do not extend to those systems. You should immediately contact your registry vendor to ask whether they have implemented similar protections. Without a patched version of Cargo, older Rust toolchains (before 1.94.1) remain vulnerable when downloading from unmoderated registries. A suggested workaround is to temporarily verify the integrity of each crate manually or use a sandboxing tool like Docker for builds. The Rust team emphasizes that the upcoming release won’t help users stuck on older Cargo versions using alternate registries—so upgrading the whole toolchain is strongly recommended.</p>
<h2 id="fact4">4. The Upcoming Fix: Rust 1.94.1 and Patched tar Crate</h2>
<p>On March 26th, 2026, the Rust project will release version 1.94.1 of the compiler toolchain. This update includes a patched copy of the <code>tar</code> crate that closes CVE-2026-33056. The fix adds proper validation of permission header fields, rejecting any tarball that attempts to change directory permissions outside the extraction target. Besides the security fix, Rust 1.94.1 also bundles other non-security improvements for the toolchain. Users are advised to update as soon as it becomes available via <code>rustup update stable</code>. Note that this patch protects only new extractions—any damage already done would need to be undone separately. The update is especially critical for CI/CD environments and multi-user systems where permission changes could have cascading effects.</p>
<h2 id="fact5">5. Credits: The Team Behind the Discovery and Fix</h2>
<p>This coordinated effort highlights the strength of the Rust community. Credit goes to <strong>Sergei Zimmerman</strong> for discovering the underlying vulnerability in <code>tar</code> and responsibly disclosing it to the Rust Security Response Team ahead of time. <strong>William Woodruff</strong> directly assisted the crates.io team with designing and deploying the mitigation measures. On the development side, <strong>Eric Huss</strong> patched Cargo itself, while <strong>Tobias Bieniek</strong>, <strong>Adam Harvey</strong>, and <strong>Walter Pearce</strong> worked on crates.io’s defense and analysis of existing crates. <strong>Emily Albini</strong> and <strong>Josh Stone</strong> coordinated the overall response, and <strong>Emily Albini</strong> also wrote the advisory. The collaborative nature of this response ensures users can trust both the public registry and the upcoming Rust release.</p>
<p>This vulnerability serves as a reminder to always keep your tools up to date and to be cautious when using alternate registries. By following the steps outlined above, you can prevent a malicious crate from compromising your system’s file permissions. Stay safe and keep coding!</p>
Tags: