Security advisory for Cargo
Summary
The Rust Security Response Team discloses a vulnerability in the tar crate used by Cargo (CVE-2026-33056) that could allow a malicious crate to change filesystem permissions during builds. The advisory notes mitigations including crates.io protections, a patched tar in Rust 1.94.1, and guidance for alternate registries, with credits to researchers involved.