CVE-2026-5223
Awaiting Analysis Awaiting Analysis - Queue

Symlink Override in Cargo Crate Tarballs

Vulnerability report for CVE-2026-5223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-25

Last updated on: 2026-06-01

Assigner: rust

Description

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.Β The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-25
Last Modified
2026-06-01
Generated
2026-07-06
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rust-lang cargo to 1.96.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves Cargo, a package manager, incorrectly handling symbolic links (symlinks) inside crate tarballs downloaded from third-party registries. This flaw allows a malicious crate to override the source code of another crate from the same registry by exploiting the symlink handling.

Users of the official crates.io registry are not affected because crates.io forbids uploading crates that contain any symlinks.

Impact Analysis

The vulnerability can lead to a malicious crate overriding the source code of another crate from the same third-party registry. This can result in unexpected or harmful code execution when using affected crates, potentially compromising the security and integrity of software projects that rely on these crates.

The severity is considered medium for users of third-party registries, but users relying solely on crates.io are not impacted.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart