CVE-2026-32288
Received Received - Intake
Unbounded Memory Allocation in Go tar.Reader via Malicious Sparse Archive

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: Go Project

Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32288
EUVD
EUVD-2026-20016
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.25.9 (exc)
golang go From 1.26.0 (inc) to 1.26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32288 is a vulnerability in the Go programming language's archive/tar package. It occurs because tar.Reader can allocate an unbounded amount of memory when processing a maliciously crafted tar archive that contains a large number of sparse regions encoded using the old GNU sparse map format.

This unbounded memory allocation happens during the parsing of these specially crafted tar files, which can cause excessive memory consumption.

Impact Analysis

The vulnerability can lead to excessive memory consumption when a vulnerable system processes a malicious tar archive. This can cause denial of service (DoS) by exhausting system resources.

Such resource exhaustion may degrade system performance or cause crashes, impacting availability of services that rely on the Go archive/tar package.

Detection Guidance

This vulnerability involves the Go standard library package archive/tar processing maliciously crafted tar archives with a large number of sparse regions in the old GNU sparse map format, leading to unbounded memory allocation.

Detection would involve identifying tar archives using the old GNU sparse map format with an unusually large number of sparse regions before processing them with tar.Reader.

However, no specific detection commands or network/system scanning commands are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, update to the fixed version of the Go language where limits have been introduced on the number of old GNU sparse map extension blocks and the total number of sparse file entries processed by tar.Reader.

This fix prevents unbounded memory allocation by bounding resource usage during parsing of tar archives.

Specifically, upgrading to Go 1.27 or later, where this issue is addressed, is recommended.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-32288 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart