Symlink Handling Issue in Cargo from Rust Language
CVE-2026-5223

6.5MEDIUM

Key Information:

Vendor

Rust Project

Status
Cargo
Vendor
CVE Published:
25 May 2026

What is CVE-2026-5223?

The vulnerability arises from Cargo's improper management of symlinks in crate tarballs sourced from third-party registries. This flaw could permit a malicious crate to replace the source code of another crate within the same registry, posing a significant risk for users who rely on these external sources. Notably, users of crates.io are safeguarded against this issue, as the platform prohibits the upload of crates containing symlinks. It is crucial for developers utilizing Cargo from third-party registries to remain vigilant and ensure their environments are secure against potential exploitation.

Affected Version(s)

Cargo 1.0.0 < 1.96.0

References

https://groups.google.com/g/rustlang-security-announcemen...
vendor-advisorymailing-list
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
vendor-advisory
https://github.com/rust-lang/cargo/pull/17031
patch

CVSS V4

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.