Security Advisory for Cargo
7 hours ago
- #rust
- #vulnerability
- #security
- Vulnerability in third-party crate tar (CVE-2026-33056) allows malicious crates to change filesystem permissions during extraction.
- Public crates.io registry users protected since March 13th; no malicious crates found.
- Alternate registry users should contact their vendor to check if affected.
- Rust 1.94.1 to be released on March 26th, 2026, with a patched tar crate and other fixes.
- Acknowledgments to Sergei Zimmerman, William Woodruff, and Rust project members for their contributions.