Critical Cargo Vulnerability Exposes Systems to Permission Manipulation Attacks

<p><strong>Urgent:</strong> A severe vulnerability in the <code>tar</code> crate used by Cargo—the Rust package manager—allows a malicious crate to change permissions on arbitrary filesystem directories during extraction. Tracked as <strong>CVE-2026-33056</strong>, the flaw could enable privilege escalation or system compromise.</p> <p>“This vulnerability could allow a malicious crate to escalate privileges by modifying permissions on arbitrary directories, potentially leading to full system compromise,” said <strong>Emily Albini</strong>, Security Response Team coordinator for the Rust project. “We have confirmed that no crates on crates.io exploit this, thanks to our proactive audit and blocking measures.”</p> <p>On <strong>March 13th</strong>, the Rust team deployed a change to the public <strong>crates.io</strong> registry to block uploads exploiting this vulnerability. A thorough audit of every crate ever published found <strong>no active exploitation</strong> on the official registry.</p> <h2 id="background">Background</h2> <p>The Rust Security Response Team was notified of the vulnerability by researcher <strong>Sergei Zimmerman</strong>, who discovered the bug in the third-party <code>tar</code> crate. Cargo relies on this crate to unpack dependencies during builds.</p><figure style="margin:20px 0"><img src="https://www.rust-lang.org/static/images/rust-social-wide.jpg" alt="Critical Cargo Vulnerability Exposes Systems to Permission Manipulation Attacks" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: blog.rust-lang.org</figcaption></figure> <p>Successful exploitation would let an attacker modify permissions on any directory after extraction — for example, making a system directory writable or granting execute rights to sensitive files. This could pave the way for further attacks on the host system.</p> <h2 id="what-this-means">What This Means</h2> <p>For users of the public <strong>crates.io</strong> registry, the immediate risk is mitigated. No malicious crates exploiting CVE-2026-33056 were ever published there.</p> <p>However, users of <strong>alternate registries</strong> remain exposed. The Rust team urges administrators of such registries to contact their vendors to verify whether they are affected. A patched version of the <code>tar</code> crate will be included in <strong>Rust 1.94.1</strong>, scheduled for release on <strong>March 26th, 2026</strong>. That update also contains other non-security fixes for the Rust toolchain.</p> <p>Even after the Rust release, older versions of Cargo that rely on unpatched <code>tar</code> will remain vulnerable when used with alternative registries. Users are advised to upgrade their toolchain as soon as Rust 1.94.1 becomes available and to verify the security posture of any non-official registry they use.</p> <h3<strong>Credits and Mitigation Timeline</strong></h3> <p>The Rust Security Response Team thanked several individuals for their contributions: <strong>Sergei Zimmerman</strong> for discovering the underlying <code>tar</code> crate vulnerability and notifying the project ahead of time; <strong>William Woodruff</strong> for directly assisting the crates.io team with mitigations; <strong>Eric Huss</strong> for patching Cargo; <strong>Tobias Bieniek, Adam Harvey, and Walter Pearce</strong> for patching crates.io and analyzing existing crates; and <strong>Emily Albini</strong> and <strong>Josh Stone</strong> for coordinating the response.</p> <p>“The rapid response and collaboration across the Rust community ensured that crates.io remained safe while we prepared a comprehensive fix for the broader ecosystem,” added Albini.</p> <h3>What Users Should Do Now</h3> <ol> <li><strong>For crates.io users:</strong> No action needed beyond keeping your Rust toolchain up to date. The registry continues to block malicious uploads.</li> <li><strong>For alternate registry users:</strong> Immediately contact your registry operator to confirm whether they have deployed mitigations.</li> <li><strong>All users:</strong> Plan to upgrade to <strong>Rust 1.94.1</strong> on or after March 26. Check your current Cargo version (<code>cargo --version</code>) and ensure it uses a patched <code>tar</code> crate.</li> </ol> <p>The Rust team will continue to monitor for any additional threats and will update the advisory as needed. For further details, refer to the official <a href="https://rustsec.org/advisories">RustSec advisory database</a>.</p>