CVE-2026-5223

🗓️ 25 May 2026 10:16:00Reported by ubuntu.comType

ubuntucve

ubuntucve🔗 ubuntu.com👁 8 Views

Cargo symlinks in third party tarballs enable overwriting a crate's source; crates.io unaffected.

Reporter	Title	Published	Views	Family All 28
ATTACKERKB	CVE-2026-5223	25 May 202608:57	–	attackerkb
AlpineLinux	CVE-2026-5223	25 May 202608:57	–	alpinelinux
CBLMariner	CVE-2026-5223 affecting package rust for versions less than 1.75.0-30	13 Jun 202618:21	–	cbl_mariner
CBLMariner	CVE-2026-5223 affecting package rust for versions less than 1.90.0-9	13 Jun 202618:21	–	cbl_mariner
Circl	CVE-2026-5223	25 May 202609:14	–	circl
CNNVD	Cargo 安全漏洞	25 May 202600:00	–	cnnvd
CVE	CVE-2026-5223	25 May 202608:57	–	cve
Cvelist	CVE-2026-5223 Crates in third party registries can override the cached source of other crates	25 May 202608:57	–	cvelist
Debian CVE	CVE-2026-5223	25 May 202608:57	–	debiancve
EUVD	EUVD-2026-31658	26 Jun 202621:48	–	euvd

OS	OS Version	Architecture	Package	Package Version	Filename
Ubuntu	14.04	any	rustc	0	rustc_0_any.deb
Ubuntu	18.04	any	rustc	0	rustc_0_any.deb
Ubuntu	20.04	any	rustc	0	rustc_0_any.deb
Ubuntu	22.04	any	rustc	0	rustc_0_any.deb
Ubuntu	24.04	any	rustc	0	rustc_0_any.deb
Ubuntu	22.04	any	rustc-1.62	0	rustc-1.62_0_any.deb
Ubuntu	24.04	any	rustc-1.74	0	rustc-1.74_0_any.deb
Ubuntu	20.04	any	rustc-1.76	0	rustc-1.76_0_any.deb
Ubuntu	22.04	any	rustc-1.76	0	rustc-1.76_0_any.deb
Ubuntu	24.04	any	rustc-1.76	0	rustc-1.76_0_any.deb

Source	Link
cve	www.cve.org/CVERecord
blog	www.blog.rust-lang.org/2026/05/25/cve-2026-5223/
github	www.github.com/rust-lang/cargo/pull/17031
groups	www.groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8

27 May 2026 19:20Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

CVSS 46.5

EPSS0.00294

SSVC

third party registries symlink handling crate source override crates registry unaffected