CVE-2026-5223 - Vulnerability Details

Description

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

Published: 2026-05-25

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cargo fails to reject symlinks inside crate tarballs from third‑party registries, allowing a malicious crate to overwrite the source of another crate pulled from the same registry. This permits an attacker to inject arbitrary code into dependencies that use Cargo, potentially leading to compromise of applications that depend on the tampered crate. The weakness is a classic Path Traversal/Lnk exploit (CWE‑61) and the described impact is rated medium with a CVSS score of 6.5.

Affected Systems

The flaw affects all releases of Rust Project Cargo prior to the upcoming Rust 1.96.0 update scheduled for 28 May 2026. Any user that relies on third‑party registries for crate distribution is subject to the issue, while crates.io users remain protected because the registry forbids symlinks. The vulnerability is specific to Cargo, the default Rust package manager.

Risk and Exploitability

The CVSS score reflects a moderate degree of risk, and the EPSS score is not available, while the vulnerability is not listed in CISA KEV. The threat is executed by an adversary who can publish a malicious crate with a symlink that points to the source of another crate; when Cargo extracts the tarball the symlink replaces the target file, thereby corrupting the other crate's code base. Attackers therefore need control over a third‑party registry or the ability to force downstream consumers to install the malicious crate (e.g., via transitive dependency).

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rust Project

Cargo

unaffected

Version	Status	Constraints
`1.0.0`	affected	< 1.96.0

No data.

No data available yet.

Remediation

Vendor Solution

Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to reject extracting *any* symlink within crate tarballs, regardless of whether they come from crates.io (which already forbids them) or third-party registries. Note that Cargo never added symlinks when running `cargo package` or `cargo publish`, so the impact of this should be minimal.

Vendor Workaround

Users who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).

OpenCVE Recommended Actions

Upgrade to Rust 1.96.0, which updates Cargo to reject any symlink in crate tarballs from any registry.
If upgrading is not feasible, audit the contents of your registry for symlinks and configure the registry to reject symlinks if the option exists.
If the registry cannot reject symlinks, consider removing that registry from your Cargo configuration or switching to crates.io, or notify the registry maintainers about the vulnerability.

Generated by OpenCVE AI on May 25, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
https://github.com/rust-lang/cargo/pull/17031
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8

History

Mon, 25 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
Title		Crates in third party registries can override the cached source of other crates
Weaknesses		CWE-61
References		https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ https://github.com/rust-lang/cargo/pull/17031 https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
Metrics		cvssV4_0 `{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: rust

Published: 2026-05-25T08:57:08.488Z

Updated: 2026-05-25T08:57:08.488Z

Reserved: 2026-03-31T12:07:41.420Z

Link: CVE-2026-5223

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T10:30:22Z

Weaknesses

CWE-61

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object