Introduction
On March 13, 2026, the Rust Security Response Team disclosed a serious vulnerability affecting Cargo, Rust's build system and package manager. The flaw, tracked as CVE-2026-33056, lurks inside the widely used tar crate — a third‑party dependency that Cargo relies on when extracting packages during a build. A malicious crate could exploit this to alter the permissions of arbitrary directories on your filesystem, potentially opening the door to privilege escalation or other attacks. While the immediate threat has been neutralized on the public crates.io registry, users of alternate registries and older Cargo versions still need to act. Below, we break down what happened, what was fixed, and what you should do to stay safe.
1. What the Vulnerability Actually Does
The tar crate (up to version 0.4.28) mishandles certain symbolic links and permission flags inside tar archives. When Cargo extracts a crate during a build, it passes the archive to tar, which then writes files and directories to disk. The bug allows a specially crafted payload to change the permissions (e.g., chmod to 0777 or setuid bits) on directories outside the intended extraction target. An attacker could use this to make system directories writable, or to plant executable scripts in startup folders. The flaw does not allow arbitrary code execution by itself, but permission changes can be a stepping stone for more serious compromises. The severity was assessed as high because many developers run cargo build with user‑level privileges, and a malicious crate from any registry could silently modify critical parts of the filesystem.
2. The Immediate Fix Deployed on crates.io
On March 13, 2026, hours after the disclosure, the crates.io team implemented a server‑side check that blocks any crate upload attempting to exploit this vulnerability. The check inspects the tar archive before it is accepted into the registry, scanning for suspicious permission‑changing entries. Additionally, the team audited every crate ever published to crates.io. This audit confirmed that no existing crate (malicious or otherwise) has taken advantage of CVE-2026-33056. The quick response means that users who only consume crates from crates.io are effectively protected — provided they use a sufficiently recent Cargo version that also includes the client‑side fix (see Item 5). For those relying solely on the public registry, no further action is required beyond updating Cargo when the official patch arrives.
3. Why Alternate Registries Are Still at Risk
The server‑side fix described above is exclusive to crates.io. Organizations that run their own package registries (e.g., using drogue or Gitea with a custom Cargo index) must apply their own mitigations. If you use an alternate registry, you should contact its vendor or administrator immediately to ask whether they have implemented the same check. Without such a measure, any user of that registry who runs cargo build with an unpatched Cargo could be vulnerable to a malicious crate. The Rust Security Team cannot patch third‑party registries; each operator must act independently. As a rule of thumb, treat any crate from an alternate registry as untrusted until you confirm the registry has either blocked the exploit or you have updated to a Cargo version that includes the tar crate fix.
4. The Upcoming Rust 1.94.1 Release
The official fix for the client side arrives on March 26, 2026, with the release of Rust 1.94.1. This point release updates the tar crate to a patched version (0.4.29) and includes a few other non‑security toolchain improvements. Once you install Rust 1.94.1, Cargo will use the hardened tar crate for all extractions. However, note that this only protects you if you are using a registry that also blocks the exploit — or if the registry has already been audited. Users of alternate registries should not rely solely on the Cargo update; they need both the client patch and a registry that rejects malicious archives. The Rust team recommends upgrading to 1.94.1 as soon as it is available, even if you think you are not at risk, because future vulnerability disclosures might build on similar attack vectors.
5. What to Do if You Manage an Alternate Registry
If you operate a Cargo registry outside of crates.io, take the following steps immediately:
- Implement a pre‑upload scan similar to the one crates.io deployed. Reject any tarball that attempts to change permissions on paths outside the crate’s own directory.
- Audit all existing crates in your registry using the same scanning tooling (the Rust team has published a script; ask on the security‑discuss forum).
- Notify your users about the vulnerability and the steps you have taken. Provide a timeline for when you will have the client‑side Cargo update (1.94.1) as your minimum required version.
- Consider requiring a specific Cargo version for builds that consume your registry, so that even if a malicious crate slips through, the local tar library will reject it.
Remember: the vulnerability affects any tar extractor using the buggy tar crate version. Your registry doesn’t need to be written in Rust to be impacted — it just needs to serve crates that Cargo will later extract.
6. Thanking the Discoverers and Responders
This coordinated disclosure succeeded because of the vigilance and collaboration of several individuals. Sergei Zimmerman discovered the underlying tar crate vulnerability and reported it to the Rust Security Response Team ahead of time. William Woodruff directly assisted the crates.io team in designing the server‑side mitigation. On the Rust side, Eric Huss patched Cargo itself; Tobias Bieniek, Adam Harvey, and Walter Pearce patched crates.io and analyzed all published crates; Emily Albini and Josh Stone coordinated the overall response; and Emily Albini also authored this advisory. Their fast, professional work prevented this vulnerability from becoming a widespread supply‑chain attack. The Rust project (and the broader open‑source community) owes them a debt of gratitude.
Conclusion
CVE-2026-33056 is a reminder that even mature ecosystems like Rust can have subtle flaws in third‑party dependencies. The good news is that the vulnerability was responsibly disclosed, quickly patched on the public registry, and a comprehensive audit found no evidence of exploitation. If you use only crates.io and update to Rust 1.94.1 on March 26, you are protected. If you rely on alternate registries, be proactive: contact your registry operator and verify their mitigation strategy. The Rust community’s swift response sets a strong example, but security is a shared responsibility — stay updated, stay vigilant, and always cargo update.