Breaking: CVE-2026-33056 Exposes Cargo Users to Directory Permission Tampering
The Rust Security Response Team has disclosed a high-severity vulnerability in the third-party tar crate, which the Cargo package manager uses to extract dependencies during builds. The flaw, tracked as CVE-2026-33056, enables a malicious crate to alter the permissions of arbitrary directories on the filesystem upon extraction.
Public users of the crates.io registry are currently protected. The team deployed a server-side fix on March 13, 2026, that blocks uploads exploiting this vulnerability. A thorough audit of all historically published crates confirmed that none have been weaponized.
“We have verified that no crates on crates.io are exploiting this vulnerability,” said Emily Albini, a member of the Rust Security Response Team. “Users of the official registry are safe.”
Background: The Flaw in the Tar Crate
The tar crate is a widely used library for handling .tar archives within the Rust ecosystem. Cargo relies on it to decompress and extract packages fetched from registries. The vulnerability arises from improper validation of symbolic links or file metadata, allowing an attacker to craft a malicious archive that resets permissions on directories outside the intended extraction target.
This could, in theory, allow a crate to make system directories writable or change critical file protections, opening the door to privilege escalation or persistent compromise. The issue was discovered by security researcher Sergei Zimmerman, who responsibly disclosed it to the Rust project before public release.
What This Means for Users
Users of the official crates.io registry face no immediate risk, as mitigation is already in place. However, organizations that rely on alternate registries—such as private mirrors or internal repositories—must take action. The Rust Security Response Team advises contacting the vendor of your registry to confirm whether it has implemented similar controls.
The Rust team will release Rust 1.94.1 on March 26, 2026. This update includes a patched version of the tar crate along with other non-security fixes for the toolchain. It is strongly recommended that all users upgrade promptly. However, this patch only protects users who update their Rust installation; older versions of Cargo remain vulnerable if they continue to use unpatched registries.
“Even after the Rust 1.94.1 release, users on older versions of Cargo who depend on unpatched alternate registries will still be at risk,” warned Josh Stone, a Rust project maintainer. “The real defense is for registry operators to implement the same upload-time checks we deployed.”
Coordinated Response and Credits
The Rust Security Response Team acknowledged multiple contributors: Eric Huss patched Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce fixed crates.io and audited existing crates; Emily Albini and Josh Stone coordinated the response; and Emily Albini authored the advisory. Special thanks also go to William Woodruff for directly assisting crates.io with mitigation strategies.
Timeline and Next Steps
Users should update to Rust 1.94.1 when it becomes available on March 26, 2026. For those managing private registries, the Rust project recommends deploying server-side validation similar to crates.io’s March 13 patch. Further technical details are available in the official advisory, which includes a link to the CVE entry.
For more information, see the background section or the impact analysis.