# Security advisory for Cargo (CVE-2026-33056 in tar crate)

_Friday, June 26, 2026 at 6:22 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![Security advisory for Cargo (CVE-2026-33056 in tar crate) — Primary](https://www.rust-lang.org/static/images/rust-social-wide.jpg)

The Rust Security Response Team was notified of a vulnerability in the third-party tar crate used by Cargo to extract packages during a build. The vulnerability, tracked as CVE-2026-33056, allows a malicious crate to change the permissions on arbitrary directories on the filesystem when Cargo extracts it during a build.

For users of the public crates.io registry, a change was deployed on March 13th to prevent uploading crates exploiting this vulnerability. An audit of all crates ever published confirmed that none on crates.io are exploiting it.

Users of alternate registries should contact the vendor of their registry to verify whether they are affected. The Rust team will release Rust 1.94.1 on March 26th, 2026, updating to a patched version of the tar crate along with other non-security fixes for the Rust toolchain. This release will not protect users of older versions of Cargo using alternate registries.

Sergei Zimmerman discovered the tar crate vulnerability and notified the Rust project ahead of time. William Woodruff directly assisted the crates.io team with the mitigations. The advisory also credits Eric Huss for patching Cargo, Tobias Bieniek, Adam Harvey and Walter Pearce for patching crates.io and analyzing crates, Emily Albini and Josh Stone for coordinating the response, and Emily Albini for writing the advisory.

## Sources

- [The Rust Security Response Team](https://blog.rust-lang.org/2026/03/21/cve-2026-33056/)

---
Canonical: https://techandbusiness.org/newswire/dwShKCC5FBZlnWiQ1QTZ2Q
Retrieved: 2026-06-27T05:32:40.583Z
Publisher: Tech & Business (techandbusiness.org)