—

CVE-2026-32288EXPLOITEDPATCHED

go standard library · archive/tar

Unbounded allocation for old GNU sparse in archive/tar

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected Products

Vendor	Product	Versions
go standard library	archive/tar	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-32288 | archive-tar up to 1.25.8/1.26.1 on Go Archive resource consumption

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

PublishedApr 8, 2026

Last enriched4h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33810EXP

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

Trending: 49

HIGHCVE-2026-32289EXP

JsBraceDepth Context Tracking Bugs (XSS) in html/template

Trending: 46

HIGHCVE-2026-32283EXP

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

Trending: 46

HIGHCVE-2026-32281EXP

Inefficient policy validation in crypto/x509

Trending: 46

CRITICALCVE-2026-32282

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Trending: 30

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Actively Exploited

Apr 8, 2026

Patch Available

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: affectedVersions, severity, activelyExploited, tags

Apr 8, 2026

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 1.25.8 and 1.26.1, changed severity to HIGH, and noted that the vulnerability is actively exploited.

affectedVersionsseverityactivelyExploitedtags

via VulDB

v18h ago

Initial creation