Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
The Rust Security Response Team disclosed CVE-2026-33056, a vulnerability in the tar crate used by Cargo that allows malicious packages to change permissions on arbitrary filesystem directories.
•The vulnerability exists in the third-party tar crate used by Cargo to extract packages during builds.
•CVE-2026-33056 can allow a malicious crate to modify permissions on arbitrary directories on the filesystem.
•crates.io deployed a mitigation on March 13th blocking uploads of crates exploiting this vulnerability, and audited all published crates — none were found to be exploiting it.
•Users of alternate registries should contact their registry vendor to verify if they are affected.
•Rust 1.94.1 will be released on March 26th, 2026 with a patched version of the tar crate, but will not protect older Cargo versions on alternate registries.
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News
Rust