CVE-2026-32288

Summary

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryarchive/tar0 < 1.25.9affected
Go standard libraryarchive/tar1.26.0-0 < 1.26.2affected

Weaknesses

  • CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References