Buffer Overflow Vulnerability in Go Programming Language's tar.Reader Component
CVE-2026-32288

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Archive/tar
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32288?

The tar.Reader component in the Go programming language is susceptible to a memory allocation vulnerability when processing maliciously-crafted archives. Specifically, if an archive includes a significant number of sparse regions encoded in the 'old GNU sparse map' format, the tar.Reader can allocate an unbounded amount of memory. This could lead to excessive resource consumption, potentially impacting system performance or leading to denial of service scenarios.

Affected Version(s)

archive/tar 0 < 1.25.9

archive/tar 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763766

https://go.dev/issue/78301

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Colin Walters (walters@verbum.org)

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Jakub Ciolek

CVE-2026-32288 Data

JSON