{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5223","assignerOrgId":"986d4109-89ea-491f-99fd-a8e4803919bd","state":"PUBLISHED","assignerShortName":"rust","dateReserved":"2026-03-31T12:07:41.420Z","datePublished":"2026-05-25T08:57:08.488Z","dateUpdated":"2026-05-27T18:35:35.093Z"},"containers":{"cna":{"providerMetadata":{"orgId":"986d4109-89ea-491f-99fd-a8e4803919bd","shortName":"rust","dateUpdated":"2026-05-25T08:57:08.488Z"},"title":"Crates in third party registries can override the cached source of other crates","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-61","description":"CWE-61 UNIX symbolic link (symlink) following","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-141","descriptions":[{"lang":"en","value":"CAPEC-141 Cache Poisoning"}]}],"affected":[{"vendor":"Rust Project","product":"Cargo","collectionURL":"https://crates.io","packageName":"cargo","repo":"https://github.com/rust-lang/cargo","versions":[{"status":"affected","version":"1.0.0","lessThan":"1.96.0","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.","supportingMedia":[{"type":"text/html","base64":false,"value":"Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.&nbsp;The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink."}]}],"references":[{"url":"https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8","tags":["vendor-advisory","mailing-list"]},{"url":"https://blog.rust-lang.org/2026/05/25/cve-2026-5223/","tags":["vendor-advisory"]},{"url":"https://github.com/rust-lang/cargo/pull/17031","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":6.5,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"}}],"workarounds":[{"lang":"en","value":"Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).","supportingMedia":[{"type":"text/html","base64":false,"value":"Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).<br>"}]}],"solutions":[{"lang":"en","value":"Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal.","supportingMedia":[{"type":"text/html","base64":false,"value":"Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to \nreject extracting *any* symlink within crate tarballs, regardless of \nwhether they come from crates.io (which already forbids them) or \nthird-party registries. Note that Cargo never added symlinks when \nrunning `cargo package` or `cargo publish`, so the impact of this should be\n minimal."}]}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-26T14:36:37.949868Z","id":"CVE-2026-5223","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-27T18:35:35.093Z"}}]}}