The Rust Security Response Team has disclosed CVE-2026-33056, a vulnerability in the third-party `tar` crate used by Cargo to extract packages. The flaw allows a malicious crate to change permissions on arbitrary filesystem directories during extraction. For crates.io users, a server-side mitigation was deployed on March 13th and an audit confirmed no existing crates exploit this. Users of alternate registries should contact their registry vendor. A patched Rust 1.94.1 release is scheduled for March 26th, 2026, but will not protect users of older Cargo versions on alternate registries.
Sort: