Overview of the Vulnerability
The Rust Security Response Team recently disclosed a critical vulnerability in the third-party tar crate, which is used internally by Cargo during the extraction of package archives. Tracked as CVE-2026-33056, this flaw enables a malicious crate to alter the permissions of arbitrary directories on the filesystem at the moment Cargo extracts the package. Such a change could lead to privilege escalation, data corruption, or unauthorized access to sensitive system paths.
Because Cargo is the default package manager for the Rust ecosystem, any vulnerability in its extraction process has wide-reaching implications. The issue lies in the way the tar crate handles symbolic links and extended headers—specifically, it did not validate that permission-setting operations were confined to the target extraction directory. An attacker could craft a crate whose archive contains entries that specify permission changes for directories outside the intended scope, such as /etc or /usr.
Impact on crates.io Users
For users of the public crates.io registry, the Rust team acted swiftly. On March 13, 2026, a server-side change was deployed that prevents the upload of any crate exploiting this vulnerability. Additionally, a thorough audit of every crate ever published to crates.io was conducted. The investigation confirmed that no crate on the registry has exploited this flaw, so users of crates.io are not at risk from existing packages.
This proactive measure ensures that developers relying on the default registry can continue to build and publish packages without concern. However, the team strongly recommends that all users remain vigilant and apply updates when they become available. For more details on secure development practices, see the Recommendations section below.
Alternate Registry Users and Mitigations
Organizations that use alternative registries (private mirrors, self-hosted repositories, or third-party indexes) face a different situation. Because the fix at crates.io does not extend to other registries, administrators must proactively verify whether their registry is affected. The Rust team advises contacting the vendor or maintainer of the registry to confirm that they have implemented protections against this vulnerability. If the registry has not deployed a similar block, users of older versions of Cargo may still be exposed when extracting malicious crates.
It is also important to note that the upcoming Rust 1.94.1 release, scheduled for March 26, 2026, will include an updated version of the tar crate that patches the vulnerability. This update will be bundled with other non-security fixes for the Rust toolchain. However, this release alone will not protect users of older Cargo versions who download packages from unsecured alternative registries. To fully mitigate the risk, administrators should ensure their registry’s upload endpoint validates archives, and developers should upgrade to the latest stable Cargo as soon as possible.
Recommendations
- For crates.io users: No immediate action needed regarding existing crates, but update to Rust 1.94.1 on March 26 to benefit from the patched tar crate and other improvements.
- For alternative registry administrators: Implement upload-time validation similar to the one deployed on crates.io (e.g., reject archives that attempt permission changes outside the extraction root). Contact the Rust Security Response Team if assistance is needed.
- For all developers: Regularly audit dependencies and consider using sandboxed environments for building untrusted code. Ensure your CI/CD pipelines use the latest stable Rust toolchain.
Acknowledgments
The Rust Security Response Team extends its gratitude to Sergei Zimmerman for discovering the underlying vulnerability in the tar crate and responsibly disclosing it to the project. William Woodruff provided direct assistance to the crates.io team in implementing the upload-time mitigations. Special thanks also go to Eric Huss for patching Cargo, Tobias Bieniek, Adam Harvey, and Walter Pearce for their work on crates.io and the audit of existing crates, as well as Emily Albini and Josh Stone for coordinating the overall response. Finally, the team acknowledges the efforts of all Rust project members who contributed to this advisory and the fast deployment of fixes.