Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Rust's tar archive unpacking allows malicious directory modification
USN-8168-2
Summary
Rust's tar archive unpacking functionality has a vulnerability that allows an attacker to modify directory permissions, potentially leading to privilege escalation. This could happen if a user or system is tricked into processing a specially crafted tar archive. To fix this, update to the latest version of Rust.
What to do
- Update canonical rustc to version 1.31.0+dfsg1+llvm-2ubuntu1~14.04.1ubuntu1.
- Update canonical rustc to version 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1ubuntu2.
- Update canonical rustc to version 1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.18.04.1.
- Update canonical rustc to version 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1.
- Update canonical rustc-1.76 to version 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1.
- Update canonical rustc-1.77 to version 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1.
- Update canonical rustc-1.78 to version 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1.
- Update canonical rustc-1.79 to version 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.3.
- Update canonical rustc-1.80 to version 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:Pro:14.04:LTS | canonical | rustc |
< 1.31.0+dfsg1+llvm-2ubuntu1~14.04.1ubuntu1 Fix: upgrade to 1.31.0+dfsg1+llvm-2ubuntu1~14.04.1ubuntu1
|
| Ubuntu:Pro:16.04:LTS | canonical | rustc |
< 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1ubuntu2 Fix: upgrade to 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1ubuntu2
|
| Ubuntu:Pro:18.04:LTS | canonical | rustc |
< 1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.18.04.1 Fix: upgrade to 1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.18.04.1
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc |
< 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1 Fix: upgrade to 1.75.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc-1.76 |
< 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1 Fix: upgrade to 1.76.0+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc-1.77 |
< 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1 Fix: upgrade to 1.77.2+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc-1.78 |
< 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1 Fix: upgrade to 1.78.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.1
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc-1.79 |
< 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.3 Fix: upgrade to 1.79.0+dfsg1ubuntu1~bpo0-0ubuntu0.20.04.3
|
| Ubuntu:Pro:20.04:LTS | canonical | rustc-1.80 |
< 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1 Fix: upgrade to 1.80.1+dfsg0ubuntu1~bpo0-0ubuntu0.20.04.1
|
Original title
rustc, rustc-1.76, rustc-1.77, rustc-1.78, rustc-1.79, rustc-1.80
vulnerability
Original description
USN-8168-1 fixed a vulnerability in Rust. This update provides the
corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04
LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tar-rs embedded in rustc incorrectly handled
symlinks when unpacking a tar archive. If a user or automated system were
tricked into processing a specially crafted tar archive, a remote attacker
could use this issue to modify permissions of arbitrary directories
outside the extraction root, and possibly escalate privileges.
corresponding update to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04
LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tar-rs embedded in rustc incorrectly handled
symlinks when unpacking a tar archive. If a user or automated system were
tricked into processing a specially crafted tar archive, a remote attacker
could use this issue to modify permissions of arbitrary directories
outside the extraction root, and possibly escalate privileges.
- https://ubuntu.com/security/notices/USN-8168-2 Vendor Advisory
- https://ubuntu.com/security/CVE-2026-33056 Third Party Advisory
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026