tar.Reader could allocate an unbounded amount of memory when reading
a maliciously-crafted archive containing a large number of sparse
regions encoded in the "old GNU sparse map" format.
We now limit both the number of old GNU sparse map extension blocks,
and the total number of sparse file entries, regardless of encoding.
Thanks to Colin Walters (walters@verbum.org) who initially reported this issue.
Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub Ciolek
who additionally reported this issue.
This is CVE-2026-32288 and Go issue https://go.dev/issue/78301.
This is a PRIVATE issue for CVE-2026-32288, tracked in http://b/489152796 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3901.
/cc @golang/security and @golang/release
tar.Reader could allocate an unbounded amount of memory when reading
a maliciously-crafted archive containing a large number of sparse
regions encoded in the "old GNU sparse map" format.
We now limit both the number of old GNU sparse map extension blocks,
and the total number of sparse file entries, regardless of encoding.
Thanks to Colin Walters (walters@verbum.org) who initially reported this issue.
Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub Ciolek
who additionally reported this issue.
This is CVE-2026-32288 and Go issue https://go.dev/issue/78301.
This is a PRIVATE issue for CVE-2026-32288, tracked in http://b/489152796 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3901.
/cc @golang/security and @golang/release