Critical Cargo Vulnerability Exposes Systems to Permission Manipulation Attacks
Urgent: A severe vulnerability in the tar crate used by Cargo—the Rust package manager—allows a malicious crate to change permissions on arbitrary filesystem directories during extraction. Tracked as CVE-2026-33056, the flaw could enable privilege escalation or system compromise.
“This vulnerability could allow a malicious crate to escalate privileges by modifying permissions on arbitrary directories, potentially leading to full system compromise,” said Emily Albini, Security Response Team coordinator for the Rust project. “We have confirmed that no crates on crates.io exploit this, thanks to our proactive audit and blocking measures.”
On March 13th, the Rust team deployed a change to the public crates.io registry to block uploads exploiting this vulnerability. A thorough audit of every crate ever published found no active exploitation on the official registry.
Background
The Rust Security Response Team was notified of the vulnerability by researcher Sergei Zimmerman, who discovered the bug in the third-party tar crate. Cargo relies on this crate to unpack dependencies during builds.
Successful exploitation would let an attacker modify permissions on any directory after extraction — for example, making a system directory writable or granting execute rights to sensitive files. This could pave the way for further attacks on the host system.
What This Means
For users of the public crates.io registry, the immediate risk is mitigated. No malicious crates exploiting CVE-2026-33056 were ever published there.
However, users of alternate registries remain exposed. The Rust team urges administrators of such registries to contact their vendors to verify whether they are affected. A patched version of the tar crate will be included in Rust 1.94.1, scheduled for release on March 26th, 2026. That update also contains other non-security fixes for the Rust toolchain.
Even after the Rust release, older versions of Cargo that rely on unpatched tar will remain vulnerable when used with alternative registries. Users are advised to upgrade their toolchain as soon as Rust 1.94.1 becomes available and to verify the security posture of any non-official registry they use.
The Rust Security Response Team thanked several individuals for their contributions: Sergei Zimmerman for discovering the underlying tar crate vulnerability and notifying the project ahead of time; William Woodruff for directly assisting the crates.io team with mitigations; Eric Huss for patching Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce for patching crates.io and analyzing existing crates; and Emily Albini and Josh Stone for coordinating the response.
“The rapid response and collaboration across the Rust community ensured that crates.io remained safe while we prepared a comprehensive fix for the broader ecosystem,” added Albini.
What Users Should Do Now
- For crates.io users: No action needed beyond keeping your Rust toolchain up to date. The registry continues to block malicious uploads.
- For alternate registry users: Immediately contact your registry operator to confirm whether they have deployed mitigations.
- All users: Plan to upgrade to Rust 1.94.1 on or after March 26. Check your current Cargo version (
cargo --version) and ensure it uses a patchedtarcrate.
The Rust team will continue to monitor for any additional threats and will update the advisory as needed. For further details, refer to the official RustSec advisory database.