FIND-20260330-001 · 2026-03-30 · Innovation Veille
Rust 1.94.1 released — CVE-2026-33055 and CVE-2026-33056 patched in Cargo tar crate
release
HIGH
Rust 1.94.1 was released on 2026-03-26 as a patch release. It updates Cargo's bundled tar crate from 0.4.44 to 0.4.45, fixing two CVEs: CVE-2026-33056 (arbitrary directory permission modification via symlink following during crate extraction) and CVE-2026-33055 (PAX header size override confusion enabling archive smuggling). Public crates.io users were audited and no malicious crates were found, but ODS CI environments that build Rust with older toolchains should upgrade immediately.
Source
https://blog.rust-lang.org/2026/03/21/cve-2026-33056/
ODS Impact
All ODS Rust services (billing-engine, oid, pdf-engine, docstore, etc.) rely on cargo for builds. A build environment still on Rust ≤ 1.94.0 is vulnerable to supply chain attacks via crafted crates during CI builds. Upgrade Rust toolchain in all Docker build images and GitHub Actions runners.
Security Review
License: MIT / Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE
Tags
rust
cargo
cve
supply-chain
security
upgrade-required