tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Go standard library archive/tar unaffected
Version Status Constraints
0 affected < 1.25.9
1.26.0-0 affected < 1.26.2

No data.

No data.

No data.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://go.dev/cl/763766 cve-icon cve-icon
https://go.dev/issue/78301 cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU cve-icon cve-icon
https://pkg.go.dev/vuln/GO-2026-4869 cve-icon cve-icon
History

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Title Unbounded allocation for old GNU sparse in archive/tar
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-08T01:06:57.416Z

Reserved: 2026-03-11T16:38:46.557Z

Link: CVE-2026-32288

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T02:16:03.707

Modified: 2026-04-08T02:16:03.707

Link: CVE-2026-32288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.