CVE-2026-32288

EUVD-2026-20016
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang
jammy
dne
noble
dne
questing
dne
golang-1.6
jammy
dne
noble
dne
questing
dne
xenial
needs-triage
golang-1.8
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
golang-1.9
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
golang-1.10
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
trusty
needs-triage
xenial
needs-triage
golang-1.13
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
dne
questing
dne
xenial
needs-triage
golang-1.14
focal
needs-triage
jammy
dne
noble
dne
questing
dne
golang-1.16
bionic
needs-triage
focal
needs-triage
jammy
dne
noble
dne
questing
dne
golang-1.17
jammy
needs-triage
noble
dne
questing
dne
golang-1.18
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
dne
questing
dne
xenial
needs-triage
golang-1.20
focal
needs-triage
jammy
needs-triage
noble
dne
questing
dne
golang-1.21
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
dne
golang-1.22
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
dne
golang-1.23
jammy
needs-triage
noble
needs-triage
questing
needs-triage
golang-1.24
jammy
needs-triage
noble
needs-triage
questing
needs-triage
golang-1.25
jammy
dne
noble
dne
questing
needs-triage
References
https://go.dev/cl/763766
https://go.dev/issue/78301
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
https://pkg.go.dev/vuln/GO-2026-4869