GNU tar can run out of memory when reading corrupt archives

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

GNU tar can run out of memory when reading corrupt archives

GO-2026-4869 CVE-2026-32288

Summary

A malicious archive can cause GNU tar to consume excessive memory, potentially crashing or freezing the system. This issue affects systems that use GNU tar to extract archives. To mitigate this risk, update to a patched version of GNU tar or ensure that users are not allowed to extract untrusted archives.

What to do

Update stdlib to version 1.26.2.

Affected software

Vendor	Product	Affected versions	Fix available
–	stdlib	> 1.26.0-0 , <= 1.26.2	1.26.2

Original title

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Original description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

https://go.dev/cl/763766 Patch
https://go.dev/issue/78301 Third Party Advisory
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU URL
https://pkg.go.dev/vuln/GO-2026-4869

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026