[Bug 2154209] [NEW] CVE-2026-5223: Crates in third party registries can override the cached source of other crates
Max Gilmour
2154209 at bugs.launchpad.net
Mon May 25 17:02:15 UTC 2026
Public bug reported:
A full description of this CVE can be found on the rust-lang blog[1].
Cargo incorrectly handles symlinks inside of crate tarballs downloaded
from third-party registries, allowing malicious crates to override the
source code of another crate from the same registry.
Starting with Rust 1.96.0, extracting any symlink within crate tarballs
shall be rejected, so any Rust version before that is affected.
[1]: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
** Affects: rustc-1.93 (Ubuntu)
Importance: Undecided
Status: New
** Tags: foundations-todo
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc-1.93 in Ubuntu.
Matching subscriptions: rustc-1.93
https://bugs.launchpad.net/bugs/2154209
Title:
CVE-2026-5223: Crates in third party registries can override the
cached source of other crates
Status in rustc-1.93 package in Ubuntu:
New
Bug description:
A full description of this CVE can be found on the rust-lang blog[1].
Cargo incorrectly handles symlinks inside of crate tarballs downloaded
from third-party registries, allowing malicious crates to override the
source code of another crate from the same registry.
Starting with Rust 1.96.0, extracting any symlink within crate
tarballs shall be rejected, so any Rust version before that is
affected.
[1]: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rustc-1.93/+bug/2154209/+subscriptions
More information about the foundations-bugs
mailing list