CVE-2026-25727 time affected by a stack exhaustion denial of service attack

🗓️ 06 Feb 2026 19:20:56Reported by GitHub_MType

CVE-2026-25727: Rust time RFC 2822 parsing caused stack exhaustion DoS in 0.3.6–0.3.46; fixed in 0.3.47.

Reporter	Title	Published	Views	Family All 363
IBM Security Bulletins	Security Bulletin: Cargo in IBM Open SDK for Rust on AIX uses a vulnerable version of the time crate (CVE-2026-25727)	8 May 202618:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses time-0.3.37.crate which is vulnerable to CVE-2026-25727.	30 Mar 202607:20	–	ibm
ATTACKERKB	CVE-2026-25727	6 Feb 202619:20	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : firefox (ALAS2023-2026-1445)	6 Mar 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : mount-s3 (ALAS2023-2026-1510)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : below (ALAS2023-2026-1523)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : cargo-c (ALAS2023-2026-1527)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : amazon-efs-utils (ALAS2023-2026-1564)	13 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : librsvg2, librsvg2-devel, librsvg2-tools (ALAS2023-2026-1591)	30 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : aws-nitro-tpm-tools (ALAS2023-2026-1610)	30 Apr 202600:00	–	nessus

[
  {
    "vendor": "time-rs",
    "product": "time",
    "versions": [
      {
        "version": ">= 0.3.6, < 0.3.47",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/time-rs/time/releases/tag/v0.3.47
github	www.github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
github	www.github.com/time-rs/time/blob/main/CHANGELOG.md
github	www.github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc

06 Feb 2026 19:20Current

CVSS 46.8

EPSS0.00291

CWE-121