FIND-20260325-002 · 2026-03-25 · Innovation Veille

CVE-2026-33056: Cargo tar-rs symlink arbitrary directory chmod — Rust 1.94.1 patch incoming

cve HIGH
CVE-2026-33056 (CVSS 5.1 Medium / Red Hat 4.4) affects the tar-rs crate used by Cargo during package extraction. A malicious crate can follow symlinks to modify permissions on arbitrary directories on the filesystem. Rust 1.94.1 (scheduled March 26, 2026) will update to tar-rs 0.4.45 which patches the issue. crates.io already blocked upload of exploiting crates on March 13.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services (billing-engine, pdf-engine, oid, docstore, etc.) use Cargo for builds. Developers and CI pipelines building crates are exposed until Rust 1.94.1 ships on March 26. Risk is limited to build-time on developer machines and CI — not runtime. Update rustup to 1.94.1 the day it releases.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: MEDIUM | Recommendation: USE_WITH_CAUTION

Tags

rust cargo cve supply-chain security tar
Generated by ODS Innovation Veille · 2026-03-25T07:04:56+00:00