Buffer Overflow Vulnerability in Go Programming Language's tar.Reader Component
CVE-2026-32288

5.5MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Archive/tar
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32288?

The tar.Reader component in the Go programming language is susceptible to a memory allocation vulnerability when processing maliciously-crafted archives. Specifically, if an archive includes a significant number of sparse regions encoded in the 'old GNU sparse map' format, the tar.Reader can allocate an unbounded amount of memory. This could lead to excessive resource consumption, potentially impacting system performance or leading to denial of service scenarios.

Affected Version(s)

archive/tar 0 < 1.25.9

archive/tar 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763766

https://go.dev/issue/78301

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Colin Walters (walters@verbum.org)

Uuganbayar Lkhamsuren (https://github.com/uug4na)

Jakub Ciolek

CVE-2026-32288 Data

JSON