CVE-2026-32288 — Allocation of Resources Without Limits or Throttling in Standard Library Archive TAR

CWE-770 — Allocation of Resources Without Limits or Throttling10 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 99.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Archive TAR

Timeline

PublishedApr 8

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5go_standard_library/archive_tar1.26.0-0 — 1.26.2+1

🔴Vulnerability Details

GHSA

GHSA-x4jj-h2v8-hqqv: tar↗2026-04-08

▶

CVEList

Unbounded allocation for old GNU sparse in archive/tar↗2026-04-08

▶

OSV

CVE-2026-32288: tar↗2026-04-08

▶

OSV

Unbounded allocation for old GNU sparse in archive/tar↗2026-04-07

▶

📋Vendor Advisories

Red Hat

archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive↗2026-04-08

▶

Debian

CVE-2026-32288: golang-1.15 - tar.Reader can allocate an unbounded amount of memory when reading a maliciously...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32288 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-32288 archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive↗2026-04-08

▶

Bugzilla

CVE-2026-32288 golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive [fedora-all]↗2026-04-08

▶