Security Advisory for Cargo: Vulnerability in Tar Crate
A security vulnerability, designated as CVE-2026-33056, has been identified in the tar crate, a third-party component used by Cargo. This vulnerability can be exploited by malicious crates to alter permissions on arbitrary directories during the build process. The Rust Security Response Team has taken proactive measures to mitigate this issue on the public crates.io registry. An updated version of Rust, 1.94.1, is scheduled for release, featuring a patched version of the tar crate. However, users relying on alternate registries are advised to contact their registry vendor to determine if they are vulnerable to this issue. The vulnerability was initially discovered by Sergei Zimmerman, who promptly notified the Rust project. Following a thorough audit, the Rust team confirmed that none of the crates on crates.io are exploiting this vulnerability. To ensure protection against this vulnerability, users are recommended to update to Rust 1.94.1 upon its release. The Rust team's prompt response and collaboration with the community have been instrumental in addressing this security concern. Users should review the release notes for detailed information on this update and guidance on safeguarding their projects.