A tar.Reader in the Go standard library can allocate an unlimited amount of memory when parsing a malicious archive that contains a large number of sparse regions encoded in the old GNU sparse map format. The resulting out‑of‑memory condition can cause the process to crash or be terminated, leading to a denial‑of‑service impact. The weakness corresponds to CWE-770, indicating an unbounded allocation of resources.

The vulnerability affects the Go standard library package archive/tar. No specific version ranges are provided in the source data, so any application that imports archive/tar and processes user supplied tar files is potentially exposed. If a system relies on an older Go release that has not yet been patched, it remains vulnerable.

The CVSS score of 5.5 indicates a moderate severity. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary supplying a specially crafted tar archive to an application that uses the affected tar.Reader implementation. Exploitation requires the target to accept and process the archive; if the archive is refused or the application terminates before allocation, the impact is mitigated. In environments where arbitrary tar inputs are processed, the risk is higher because the resource exhaustion can disrupt service availability.