Cargo Security Vulnerability: Malicious Crates and Directory Permission Changes

On March 13, 2026, the Rust Security Response Team disclosed a vulnerability in the third-party tar crate used by Cargo to extract packages during builds. Tracked as CVE-2026-33056, this flaw could allow a malicious crate to modify permissions on arbitrary directories on the filesystem when extracted. Immediate action was taken on crates.io to block exploit attempts, and a comprehensive audit confirmed no published crates were affected. For users of alternative registries, separate steps are required. The following Q&A provides details on the vulnerability, mitigations, and upcoming fixes.

What is the vulnerability CVE-2026-33056?

This vulnerability exists in the tar crate, a Rust library that Cargo uses to decompress and extract crate archives. During extraction, specially crafted tar entries can set arbitrary file permissions on directories outside the intended extraction path. A malicious crate could exploit this to change permissions on system or user directories, potentially leading to privilege escalation or unauthorized access. The flaw was responsibly disclosed by security researcher Sergei Zimmerman, and the Rust Security Response Team coordinated a fix.

How does the vulnerability affect Cargo users?

When a developer runs cargo build and Cargo extracts a malicious crate from a registry, the tar extraction process may apply permission changes to directories outside the normal build area. This could allow an attacker to modify permissions on folders like /etc, /usr/local, or user home directories, depending on the user running Cargo. The attack does not require root privileges if the user has write access to those directories. Only users who build crates from registries are at risk; developers who only use local or whitelisted crates are not affected.

What actions were taken on crates.io to protect users?

On March 13, 2026, the crates.io team deployed an immediate server-side change to block any new crate uploads that attempt to exploit this vulnerability. They also performed a historical audit of every crate ever published to the registry. The audit confirmed that no crates on crates.io contain code exploiting CVE-2026-33056. Users of the public crates.io registry are therefore safe from this attack vector. The team also updated the registry's security checks to prevent future uploads of similar malicious crates.

What should users of alternative registries do?

Organizations that operate their own crate registries (e.g., private enterprise registries or third-party mirrors) must contact their registry vendor to determine if they are affected. The Rust Security Response Team advises verifying whether the registry has implemented the same upload restrictions as crates.io. If not, users may need to manually inspect their crates for malicious tar entries. Additionally, the upcoming Rust 1.94.1 release (March 26) includes a patched version of the tar crate, but this fix only protects against exploitation during extraction from any registry once Cargo is updated. However, if an older version of Cargo is used with an unpatched alternative registry, users remain vulnerable.

When will the official Cargo fix be released?

The Rust team will release Rust 1.94.1 on March 26, 2026. This update includes a patched version of the tar crate that addresses CVE-2026-33056, along with other non-security fixes for the Rust toolchain. Users are strongly encouraged to upgrade as soon as possible. Note that the patch will prevent Cargo from changing directory permissions improperly, even if a malicious crate is present. However, as mentioned, users who cannot upgrade Cargo and rely on unpatched alternative registries should take additional precautions.

Who discovered and helped mitigate this vulnerability?

Sergei Zimmerman discovered the underlying tar crate vulnerability and responsibly notified the Rust project ahead of public disclosure. William Woodruff directly assisted the crates.io team with implementing the server-side mitigations. Several Rust project members contributed to the response: Eric Huss patched Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce patched crates.io and analyzed existing crates; Emily Albini and Josh Stone coordinated the overall response; and Emily Albini authored this advisory.