CVE-2026-32288
Unbounded Memory Allocation in Go tar.Reader via Malicious Sparse Archive
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32288 is a vulnerability in the Go programming language's archive/tar package. It occurs because tar.Reader can allocate an unbounded amount of memory when processing a maliciously crafted tar archive that contains a large number of sparse regions encoded using the old GNU sparse map format.
This unbounded memory allocation happens during the parsing of these specially crafted tar files, which can cause excessive memory consumption.
How can this vulnerability impact me? :
The vulnerability can lead to excessive memory consumption when a vulnerable system processes a malicious tar archive. This can cause denial of service (DoS) by exhausting system resources.
Such resource exhaustion may degrade system performance or cause crashes, impacting availability of services that rely on the Go archive/tar package.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Go standard library package archive/tar processing maliciously crafted tar archives with a large number of sparse regions in the old GNU sparse map format, leading to unbounded memory allocation.
Detection would involve identifying tar archives using the old GNU sparse map format with an unusually large number of sparse regions before processing them with tar.Reader.
However, no specific detection commands or network/system scanning commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update to the fixed version of the Go language where limits have been introduced on the number of old GNU sparse map extension blocks and the total number of sparse file entries processed by tar.Reader.
This fix prevents unbounded memory allocation by bounding resource usage during parsing of tar archives.
Specifically, upgrading to Go 1.27 or later, where this issue is addressed, is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-32288 on compliance with common standards and regulations such as GDPR or HIPAA.