Cargo Security Advisory: What Rust Developers Need to Know

The Rust Security Response Team has disclosed a significant vulnerability affecting the third-party crate tar, a dependency leveraged by Cargo to decompress and extract packages throughout the build process. Catalogued as CVE-2026-33056, the flaw exposes a critical attack surface: a maliciously crafted crate could manipulate filesystem directory permissions on the host machine at the moment Cargo performs extraction during a build.

For developers relying on the public crates.io registry, the Rust team acted swiftly, deploying a server-side mitigation on March 13th that blocks the upload of any crate designed to exploit this vulnerability. A comprehensive audit of the entire published crate catalogue was subsequently conducted, and the team has confirmed that no existing crates on crates.io are currently weaponizing this flaw.

For organizations and developers operating on alternate or private registries, the guidance is clear: reach out directly to your registry vendor to assess your exposure. The Rust team has scheduled the release of Rust 1.94.1 for March 26th, 2026, which will ship with an updated, patched version of the tar crate alongside additional non-security improvements to the Rust toolchain. It is important to note, however, that upgrading to this release will not retroactively protect environments running older versions of Cargo against alternate registries — making direct vendor consultation an essential step for those deployments.

The Rust Security Response Team extended its appreciation to the researchers and contributors who made this coordinated response possible. Sergei Zimmerman is credited with discovering the underlying vulnerability in the tar crate and responsibly disclosing it to the Rust project ahead of public disclosure. William Woodruff provided direct assistance to the crates.io team in implementing mitigations. Within the Rust project itself, Eric Huss led the effort to patch Cargo; Tobias Bieniek, Adam Harvey, and Walter Pearce handled patching on the crates.io side and performed the broader crate analysis; Emily Albini and Josh Stone coordinated the overall response; and Emily Albini authored this advisory.