CVE-2026-5223
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Summary
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Rust Project | Cargo | 1.0.0 < 1.96.0 | affected |
Weaknesses
- CWE-61: CWE-61 UNIX symbolic link (symlink) following
Workarounds
Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
- https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
- https://github.com/rust-lang/cargo/pull/17031
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.