Vulnerability in Go Standard Library Archive/tar
CVE-2026-32288
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
EPSS: 0.000 (0.2th percentile) — read the EPSS interpretation.
Affected products
- Go Standard Library Archive/tar — versions 0, 1.26.0-0