FIND-20260409-004 · 2026-04-09 · Innovation Veille

CVE-2026-33056 — Cargo tar-rs symlink attack allows arbitrary directory permission changes

cve MEDIUM
CVE-2026-33056 (CVSS not yet finalized, assessed HIGH) allows a malicious crate to change permissions on arbitrary filesystem directories when Cargo extracts it during a build. The bug is in tar-rs: when a directory entry shares a name with a previously extracted symlink, extraction logic fails to differentiate concrete directory from symlink target, so permission changes apply to the symlink target path. Patched in Rust 1.94.1 (released March 26 2026) and crates.io was audited with no exploiting crates found. ODS is already on Rust 1.94.1 per last-versions.json.

Source

https://blog.rust-lang.org/2026/03/21/cve-2026-33056/

ODS Impact

ODS CI/CD runs cargo build and cargo test in GitHub Actions. If using Rust < 1.94.1, malicious transitive build dependencies could exploit this. Current recorded version (1.94.1) is already patched. Action: verify all CI runners use Rust 1.94.1+. The companion CVE-2026-33055 (CVSS 5.1, Medium) is a parser differential in tar-rs that allows smuggling hidden TAR entries past security validators — also fixed in 1.94.1.

Security Review

License: N/A | Maintenance: N/A | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve rust cargo supply-chain tar security
Generated by ODS Innovation Veille · 2026-04-09T01:59:09+00:00