CVE-2026-5223 - Vulnerability Details - OpenCVE

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
https://github.com/rust-lang/cargo/pull/17031
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8

History

Mon, 25 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
Title		Crates in third party registries can override the cached source of other crates
Weaknesses		CWE-61
References		https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ https://github.com/rust-lang/cargo/pull/17031 https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
Metrics		cvssV4_0 `{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: rust

Published: 2026-05-25T08:57:08.488Z

Updated: 2026-05-25T08:57:08.488Z

Reserved: 2026-03-31T12:07:41.420Z

Link: CVE-2026-5223

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5223", "assignerOrgId": "986d4109-89ea-491f-99fd-a8e4803919bd", "state": "PUBLISHED", "assignerShortName": "rust", "dateReserved": "2026-03-31T12:07:41.420Z", "datePublished": "2026-05-25T08:57:08.488Z", "dateUpdated": "2026-05-25T08:57:08.488Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "986d4109-89ea-491f-99fd-a8e4803919bd", "shortName": "rust", "dateUpdated": "2026-05-25T08:57:08.488Z"}, "title": "Crates in third party registries can override the cached source of other crates", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-61", "description": "CWE-61 UNIX symbolic link (symlink) following", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "affected": [{"vendor": "Rust Project", "product": "Cargo", "collectionURL": "https://crates.io", "packageName": "cargo", "repo": "https://github.com/rust-lang/cargo", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.96.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\u00a0The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."}]}], "references": [{"url": "https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8", "tags": ["vendor-advisory", "mailing-list"]}, {"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5223/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/rust-lang/cargo/pull/17031", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"}}], "workarounds": [{"lang": "en", "value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).<br>"}]}], "solutions": [{"lang": "en", "value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."}]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}}}