FIND-20260404-024 · 2026-04-04 · Innovation Veille

CVE-2026-33056: Cargo tar Crate Allows Arbitrary Filesystem Permission Modification — Fixed in Rust 1.94.1

cve HIGH
A vulnerability in the third-party tar crate used by Cargo allows a malicious crate to modify permissions on arbitrary directories during package extraction at build time. crates.io deployed server-side protection on March 13, 2026 (no exploited packages detected). Rust 1.94.1 (released March 26, 2026) ships the patched tar crate. ODS current Rust version is 1.94.1 — already protected. Alternate registry users must contact their vendor. Severity: HIGH (filesystem privilege manipulation during builds).

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

All ODS Rust services (billing-engine, oid, pdf-engine, docstore, etc.) that pull crates during build. Risk is at build-time, not runtime. Since ODS runs Rust 1.94.1 and uses crates.io exclusively, the fix is in place. GitHub Actions CI runners should be verified to use Rust 1.94.1+. No runtime patching required.

Security Review

License: N/A (Rust toolchain vulnerability) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

rust cargo cve supply-chain build-security tar
Generated by ODS Innovation Veille · 2026-04-04T19:52:16+00:00