FIND-20260329-002 · 2026-03-29 · Innovation Veille

CVE-2026-33056 — Cargo tar crate allows malicious crates to modify filesystem permissions

cve HIGH
CVE-2026-33056 affects the tar crate used by Cargo to extract packages during builds. A malicious crate could change permissions on arbitrary directories on the filesystem when extracted. Rust 1.94.1 (released 2026-03-26) ships the patched tar crate. For crates.io users, the registry blocked exploitative uploads on 2026-03-13 and audited all historically published crates — no affected crates were found. Users of private or alternate registries should contact their vendor and upgrade to Rust 1.94.1 immediately.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

ODS Rust services (oid, billing-engine, pdf-engine, docstore) all use crates.io exclusively. Risk is LOW — crates.io is patched. Confirm Rust 1.94.1 is used in CI (GitHub Actions). No immediate code change required.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve rust cargo supply-chain permissions
Generated by ODS Innovation Veille · 2026-03-29T01:01:57+00:00