Primary

Context

Golang Archive/Tar Unbounded Memory Allocation Vulnerability

Vulnerability

Patched

A vulnerability exists in the Golang standard library's archive/tar package, specifically in versions prior to 1.25.9 and from 1.26.0 up to but not including 1.26.2. The issue arises in tar.Reader, which can allocate an unbounded amount of memory when processing a maliciously crafted archive. This archive contains a large number of sparse regions encoded in the 'old GNU sparse map' format, leading to potential memory exhaustion.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by allowing a crafted archive to consume excessive amounts of memory, potentially leading to application or system resource exhaustion.

Remediation

Users can upgrade to Golang versions 1.25.9 or 1.26.2 to address this vulnerability.

Added: Apr 8, 2026, 2:22 AM

Updated: Apr 8, 2026, 2:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Golang Archive/Tar Unbounded Memory Allocation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

golang archive/tar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating