Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Published: 2026-02-06
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack exhaustion
Action: Immediate Patch
AI Analysis

Impact

The time crate suffered a denial‑of‑service vulnerability that could be triggered by feeding malicious input to RFC 2822 parsing routines. Attackers can craft input that triggers deeply nested recursion, causing the call stack to overflow. This results in an application crash or unresponsive state, compromising availability. The weakness lies in CWE‑770 (Excessive Resource Consumption) with a stack‑based exhaustion scenario linked to CWE‑121.

Affected Systems

The vulnerability affects the time-rs time crate in the Rust ecosystem. All releases from version 0.3.6 through 0.3.46 are susceptible; this was introduced in 0.3.6 and patched in 0.3.47. Users of earlier or later 0.3.x series are not impacted.

Risk and Exploitability

The CVSS score is 6.8, indicating medium severity, and the EPSS score is below 1 %, reflecting a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, but it could be leveraged in any application that accepts unchecked user input to RFC 2822 parsing. The exploit requires constructing specific RFC 2822 messages; ordinary input will never reach the hazardous recursion depth.

Generated by OpenCVE AI on April 17, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the time crate to version 0.3.47 or newer, which enforces a recursion depth limit and returns an error before stack exhaustion occurs.
  • Validate and sanitize user‑supplied data before passing it to RFC 2822 parsing functions to avoid malicious payloads that could trigger excessive recursion.
  • Apply operating‑system level stack size limits or resource controls (e.g., cgroups, ulimit) to contain stack usage in the event that an upgrade is delayed.

Generated by OpenCVE AI on April 17, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6v5-fh4h-64xc time vulnerable to stack exhaustion Denial of Service attack
History

Tue, 24 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Time Project
Time Project time
CPEs cpe:2.3:a:time_project:time:*:*:*:*:*:rust:*:*
Vendors & Products Time Project
Time Project time
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Time-rs
Time-rs time
Vendors & Products Time-rs
Time-rs time

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Title time affected by a stack exhaustion denial of service attack
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Time-rs Time
Time Project Time
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:22:58.488Z

Reserved: 2026-02-05T16:48:00.426Z

Link: CVE-2026-25727

cve-icon Vulnrichment

Updated: 2026-02-06T20:22:35.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:11.860

Modified: 2026-02-24T15:23:35.563

Link: CVE-2026-25727

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-06T19:20:56Z

Links: CVE-2026-25727 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses