2456332 – (CVE-2026-32288) CVE-2026-32288 archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive

Bug 2456332 (CVE-2026-32288) - CVE-2026-32288 archive/tar: golang: Go's archive/tar package: Denial of Service via maliciously-crafted archive

Summary: CVE-2026-32288 archive/tar: golang: Go's archive/tar package: Denial of Servi...

Keywords:
Status:	NEW
Alias:	CVE-2026-32288
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456709
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-08 02:01 UTC by OSIDB Bzimport
Modified:	2026-04-09 15:55 UTC (History)
CC List:	89 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-08 02:01:21 UTC

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Note You need to log in before you can comment on or make changes to this bug.

aazores
akoudelk
alcohan
amctagga
anjoseph
anpicker
ansmith
aoconnor
asatyam
bbrownin
bdettelb
bniver
bparees
cmah
dhanak
diagrawa
doconnor
drosa
dsimansk
dymurray
eaguilar
ebaron
eborisov
eglynn
fdeutsch
flucifre
gmeno
gparvin
groman
hasun
ibolton
jbalunas
jcantril
jfula
jjoyce
jkoehler
jmatthew
jmontleo
jolong
jowilson
jprabhak
jpretori
jschluet
kingland
kverlaen
lball
lbragsta
lchilton
lgamliel
lhh
lphiri
manissin
mbenjamin
mburns
mgarciac
mhackett
mnovotny
mwringe
ngough
nyancey
ometelka
oramraz
pahickey
peholase
pgaikwad
pjindal
ptisnovs
rfreiman
rhaigner
rjohnson
rojacob
sabiswas
sausingh
sdawley
sfeifer
slucidi
smullick
sostapov
sseago
stirabos
syedriko
thason
vereddy
veshanka
wenshen
whayutin
wtam
xdharmai
xiyuan