CVE-2026-5223
Awaiting Analysis Awaiting Analysis - Queue
Symlink Override in Cargo Crate Tarballs

Publication date: 2026-05-25

Last updated on: 2026-06-01

Assigner: rust

Description
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.Β The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-06-01
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5223
EUVD
EUVD-2026-31658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rust-lang cargo to 1.96.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves Cargo, a package manager, incorrectly handling symbolic links (symlinks) inside crate tarballs downloaded from third-party registries. This flaw allows a malicious crate to override the source code of another crate from the same registry by exploiting the symlink handling.

Users of the official crates.io registry are not affected because crates.io forbids uploading crates that contain any symlinks.

Impact Analysis

The vulnerability can lead to a malicious crate overriding the source code of another crate from the same third-party registry. This can result in unexpected or harmful code execution when using affected crates, potentially compromising the security and integrity of software projects that rely on these crates.

The severity is considered medium for users of third-party registries, but users relying solely on crates.io are not impacted.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart