Security advisory for Cargo (CVE-2026-33056 in tar crate)

The Rust Security Response Team was notified of a vulnerability in the third-party tar crate used For users of the public crates.io registry, a change was deployed on March 13th to prevent uploading crates exploiting this vulnerability. An audit of all crates ever published confirmed that none on crates.io are exploiting it. Users of alternate registries should contact the vendor of their registry to verify whether they are affected. The Rust team will release Rust 1.94.1 on March 26th, 2026, updating to a patched version of the tar crate along with other non-security fixes for the Rust toolchain. This release will not protect users of older versions of Cargo using alternate registries. Sergei Zimmerman discovered the tar crate vulnerability and notified the Rust project ahead of time. William Woodruff directly assisted the crates.io team with the mitigations. The advisory also credits Eric Huss for patching Cargo, Tobias Bieniek, Adam Harvey and Walter Pearce for patching crates.io and analyzing crates, Emily Albini and Josh Stone for coordinating the response, and Emily Albini for writing the advisory.