CVE-2026-25727 time affected by a stack exhaustion denial of service attack

🗓️ 06 Feb 2026 19:20:56Reported by GoogleType

osv🔗 osv.dev👁 5 Views

CVE-2026-25727: The Rust time crate stack-exhausts via RFC 2822 input before 0.3.47; 0.3.47 adds a recursion limit and returns an error.

Reporter	Title	Published	Views	Family All 363
IBM Security Bulletins	Security Bulletin: Cargo in IBM Open SDK for Rust on AIX uses a vulnerable version of the time crate (CVE-2026-25727)	8 May 202618:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Edge Data Collector uses time-0.3.37.crate which is vulnerable to CVE-2026-25727.	30 Mar 202607:20	–	ibm
ATTACKERKB	CVE-2026-25727	6 Feb 202619:20	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : firefox (ALAS2023-2026-1445)	6 Mar 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : mount-s3 (ALAS2023-2026-1510)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : below (ALAS2023-2026-1523)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : cargo-c (ALAS2023-2026-1527)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : amazon-efs-utils (ALAS2023-2026-1564)	13 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : librsvg2, librsvg2-devel, librsvg2-tools (ALAS2023-2026-1591)	30 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : aws-nitro-tpm-tools (ALAS2023-2026-1610)	30 Apr 202600:00	–	nessus

Source	Link
github	www.github.com/time-rs/time/blob/main/CHANGELOG.md
github	www.github.com/time-rs/time/releases/tag/v0.3.47
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25727.json
github	www.github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-25727
github	www.github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee

19 Jun 2026 08:29Current

5.5Medium risk

Vulners AI Score5.5

CVSS 46.8

EPSS0.00291