Cargo Vulnerability FAQ: Understanding the tar Crate Security Issue

<p>This FAQ addresses the recent security advisory concerning a vulnerability in the <code>tar</code> crate used by Cargo. The flaw, identified as CVE-2026-33056, allowed a malicious crate to alter directory permissions during extraction. Below we answer key questions about the issue, mitigation steps, and what users should do.</p> <h2 id="q1">What is the vulnerability in the tar crate affecting Cargo?</h2> <p>The vulnerability, tracked as <strong>CVE-2026-33056</strong>, resides in the third-party <code>tar</code> crate that Cargo uses to extract packages during a build. It permits a specially crafted crate to <em>change the permissions</em> on arbitrary directories on the filesystem when extracted. This could potentially allow an attacker to escalate privileges or make sensitive directories writable, leading to further compromise. The flaw was responsibly disclosed by security researcher <strong>Sergei Zimmerman</strong> to the Rust Security Response Team.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Cargo Vulnerability FAQ: Understanding the tar Crate Security Issue" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure> <h2 id="q2">How does the vulnerability work?</h2> <p>The <code>tar</code crate processes tar archive entries and applies file permissions during extraction. A malicious crate can include directory entries with crafted permission bits that are not properly sanitized. When Cargo extracts the crate, these permissions are applied to existing directories on the system, overriding their original settings. For example, a directory could be made <em>world-writable</em> without user awareness. The vulnerability does not require any special privileges; it exploits a missing validation in the <code>tar</code> crate's permission handling logic.</p> <h2 id="q3">Has any malicious crate been found exploiting this on crates.io?</h2> <p>No. The crates.io team performed a thorough audit of <strong>all crates ever published</strong> after deploying a mitigation on <strong>March 13th, 2026</strong>. They confirmed that <strong>no crates on crates.io</strong> currently exploit or have ever exploited this vulnerability. The public registry remains safe for users. This proactive auditing ensured that the attack vector was never utilized in the wild within the ecosystem.</p> <h2 id="q4">What actions were taken on crates.io to prevent exploitation?</h2> <p>On March 13th, the crates.io team implemented a change that <strong>prevents uploading crates</strong> that could exploit this vulnerability. This was a server-side validation that blocks any tar archive with suspicious permission entries. Additionally, the team audited the entire historical database of crates to ensure no previously published crate contained malicious permission changes. Contributors <strong>Tobias Bieniek</strong>, <strong>Adam Harvey</strong>, and <strong>Walter Pearce</strong> led the patching and analysis of existing crates.</p> <h2 id="q5">What should users of alternate registries do?</h2> <p>If you use a private registry or an alternative crate repository, you should <strong>contact the vendor</strong> of that registry immediately to verify whether they have applied mitigations. The Rust team's fix for Cargo (via a patched <code>tar</code> crate) will only protect users who <strong>update to Rust 1.94.1</strong> or later. However, even with the update, older versions of Cargo that download crates from alternate registries may remain vulnerable if the registry itself does not block malicious uploads. Registry administrators are urged to adopt similar validation checks.</p> <h2 id="q6">When will the patched version of Rust be released?</h2> <p>The Rust team announced that <strong>Rust 1.94.1</strong> will be released on <strong>March 26th, 2026</strong>. This release includes an update to the <code>tar</code> crate that fixes the vulnerability, along with other non-security improvements to the Rust toolchain. Users are encouraged to update as soon as it becomes available. Note that this patch only protects Cargo itself; alternate registries must independently ensure they reject malicious crates.</p> <h2 id="q7">Who discovered and helped fix this vulnerability?</h2> <p>The discovery was made by <strong>Sergei Zimmerman</strong>, who responsibly disclosed the underlying <code>tar</code> crate vulnerability to the Rust project. <strong>William Woodruff</strong> directly assisted the crates.io team with mitigation measures. Within the Rust project, <strong>Eric Huss</strong> patched Cargo; <strong>Tobias Bieniek</strong>, <strong>Adam Harvey</strong>, and <strong>Walter Pearce</strong> worked on the crates.io side; and <strong>Emily Albini</strong> and <strong>Josh Stone</strong> coordinated the overall response. Emily Albini also authored the advisory. Their coordinated efforts ensured a swift and comprehensive fix.</p>