FIND-20260327-002 · 2026-03-27 · Innovation Veille

CVE-2026-33056 — Cargo tar crate arbitrary filesystem permission change

cve HIGH
CVE-2026-33056 affects the third-party tar crate used by Cargo. A malicious crate can change permissions on arbitrary directories on the filesystem during a Cargo build/extract operation. This is a supply-chain vector: a compromised dependency in crates.io or a private registry could exploit this. Fix: upgrade to Rust 1.94.1 which bundles a patched tar crate. crates.io has already blocked exploiting uploads and audited all 100k+ crates — none were found exploiting this. Risk is higher for teams using private/alternate Cargo registries.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services are affected at build time. Immediate action: upgrade Rust toolchain to 1.94.1 in all Dockerfiles and CI pipelines. The runtime attack surface is limited (only during cargo install/build), but CI environments could be compromised. Priority: HIGH.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust cargo CVE supply-chain security tar-crate
Generated by ODS Innovation Veille · 2026-03-27T05:13:06+00:00