CVE-2026-5223 (GCVE-0-2026-5223)
Vulnerability from cvelistv5 – Published: 2026-05-25 08:57 – Updated: 2026-05-27 18:35
VLAI
Title
Crates in third party registries can override the cached source of other crates
Summary
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
Severity
CWE
- CWE-61 - UNIX symbolic link (symlink) following
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/rustlang-security-ann… | vendor-advisorymailing-list |
| https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ | vendor-advisory |
| https://github.com/rust-lang/cargo/pull/17031 | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rust Project | Cargo |
Affected:
1.0.0 , < 1.96.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T14:36:37.949868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T18:35:35.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io",
"defaultStatus": "unaffected",
"packageName": "cargo",
"product": "Cargo",
"repo": "https://github.com/rust-lang/cargo",
"vendor": "Rust Project",
"versions": [
{
"lessThan": "1.96.0",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u0026nbsp;The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."
}
],
"value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u00a0The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."
}
],
"impacts": [
{
"capecId": "CAPEC-141",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-141 Cache Poisoning"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX symbolic link (symlink) following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T08:57:08.488Z",
"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"shortName": "rust"
},
"references": [
{
"tags": [
"vendor-advisory",
"mailing-list"
],
"url": "https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5223/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/rust-lang/cargo/pull/17031"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."
}
],
"value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crates in third party registries can override the cached source of other crates",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).\u003cbr\u003e"
}
],
"value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available)."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd",
"assignerShortName": "rust",
"cveId": "CVE-2026-5223",
"datePublished": "2026-05-25T08:57:08.488Z",
"dateReserved": "2026-03-31T12:07:41.420Z",
"dateUpdated": "2026-05-27T18:35:35.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-5223",
"date": "2026-05-27",
"epss": "0.00044",
"percentile": "0.13637"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-5223\",\"sourceIdentifier\":\"986d4109-89ea-491f-99fd-a8e4803919bd\",\"published\":\"2026-05-25T10:16:15.480\",\"lastModified\":\"2026-05-26T19:08:15.080\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u00a0The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"986d4109-89ea-491f-99fd-a8e4803919bd\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"986d4109-89ea-491f-99fd-a8e4803919bd\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-61\"}]}],\"references\":[{\"url\":\"https://blog.rust-lang.org/2026/05/25/cve-2026-5223/\",\"source\":\"986d4109-89ea-491f-99fd-a8e4803919bd\"},{\"url\":\"https://github.com/rust-lang/cargo/pull/17031\",\"source\":\"986d4109-89ea-491f-99fd-a8e4803919bd\"},{\"url\":\"https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8\",\"source\":\"986d4109-89ea-491f-99fd-a8e4803919bd\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Crates in third party registries can override the cached source of other crates\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-141\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-141 Cache Poisoning\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/rust-lang/cargo\", \"vendor\": \"Rust Project\", \"product\": \"Cargo\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.96.0\", \"versionType\": \"semver\"}], \"packageName\": \"cargo\", \"collectionURL\": \"https://crates.io\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \\nreject extracting *any* symlink within crate tarballs, regardless of \\nwhether they come from crates.io (which already forbids them) or \\nthird-party registries. Note that Cargo never added symlinks when \\nrunning `cargo package` or `cargo publish`, so the impact of this should be\\n minimal.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \\nreject extracting *any* symlink within crate tarballs, regardless of \\nwhether they come from crates.io (which already forbids them) or \\nthird-party registries. Note that Cargo never added symlinks when \\nrunning `cargo package` or `cargo publish`, so the impact of this should be\\n minimal.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8\", \"tags\": [\"vendor-advisory\", \"mailing-list\"]}, {\"url\": \"https://blog.rust-lang.org/2026/05/25/cve-2026-5223/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/rust-lang/cargo/pull/17031\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\\u00a0The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u0026nbsp;The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61 UNIX symbolic link (symlink) following\"}]}], \"providerMetadata\": {\"orgId\": \"986d4109-89ea-491f-99fd-a8e4803919bd\", \"shortName\": \"rust\", \"dateUpdated\": \"2026-05-25T08:57:08.488Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5223\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-26T14:36:37.949868Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-26T14:36:35.401Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5223\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-25T08:57:08.488Z\", \"dateReserved\": \"2026-03-31T12:07:41.420Z\", \"assignerOrgId\": \"986d4109-89ea-491f-99fd-a8e4803919bd\", \"datePublished\": \"2026-05-25T08:57:08.488Z\", \"assignerShortName\": \"rust\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…