[Bug 2154209] Re: CVE-2026-5223: Crates in third party registries can override the cached source of other crates
Finn Gärtner
2154209 at bugs.launchpad.net
Thu May 28 01:31:32 UTC 2026
** Changed in: rustc-1.62 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.74 (Ubuntu Noble)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.74 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.62 (Ubuntu Jammy)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.92 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.91 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.88 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.77 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.80 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.81 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.84 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.82 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.79 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.85 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
** Changed in: rustc-1.78 (Ubuntu)
Assignee: (unassigned) => Finn Gärtner (finnrg)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rustc-1.76 in Ubuntu.
Matching subscriptions: rustc-1.93
https://bugs.launchpad.net/bugs/2154209
Title:
CVE-2026-5223: Crates in third party registries can override the
cached source of other crates
Status in rustc-1.62 package in Ubuntu:
New
Status in rustc-1.74 package in Ubuntu:
New
Status in rustc-1.76 package in Ubuntu:
New
Status in rustc-1.77 package in Ubuntu:
New
Status in rustc-1.78 package in Ubuntu:
New
Status in rustc-1.79 package in Ubuntu:
New
Status in rustc-1.80 package in Ubuntu:
New
Status in rustc-1.81 package in Ubuntu:
New
Status in rustc-1.82 package in Ubuntu:
New
Status in rustc-1.84 package in Ubuntu:
New
Status in rustc-1.85 package in Ubuntu:
New
Status in rustc-1.88 package in Ubuntu:
New
Status in rustc-1.91 package in Ubuntu:
New
Status in rustc-1.92 package in Ubuntu:
New
Status in rustc-1.93 package in Ubuntu:
In Progress
Status in rustc-1.62 source package in Jammy:
New
Status in rustc-1.76 source package in Jammy:
New
Status in rustc-1.77 source package in Jammy:
New
Status in rustc-1.78 source package in Jammy:
New
Status in rustc-1.79 source package in Jammy:
New
Status in rustc-1.80 source package in Jammy:
New
Status in rustc-1.81 source package in Jammy:
New
Status in rustc-1.82 source package in Jammy:
New
Status in rustc-1.85 source package in Jammy:
New
Status in rustc-1.88 source package in Jammy:
New
Status in rustc-1.91 source package in Jammy:
New
Status in rustc-1.92 source package in Jammy:
New
Status in rustc-1.93 source package in Jammy:
New
Status in rustc-1.74 source package in Noble:
New
Status in rustc-1.76 source package in Noble:
New
Status in rustc-1.77 source package in Noble:
New
Status in rustc-1.78 source package in Noble:
New
Status in rustc-1.79 source package in Noble:
New
Status in rustc-1.80 source package in Noble:
New
Status in rustc-1.81 source package in Noble:
New
Status in rustc-1.82 source package in Noble:
New
Status in rustc-1.85 source package in Noble:
New
Status in rustc-1.88 source package in Noble:
New
Status in rustc-1.91 source package in Noble:
New
Status in rustc-1.92 source package in Noble:
New
Status in rustc-1.93 source package in Noble:
New
Status in rustc-1.85 source package in Questing:
New
Status in rustc-1.88 source package in Questing:
New
Status in rustc-1.91 source package in Questing:
New
Status in rustc-1.92 source package in Questing:
New
Status in rustc-1.93 source package in Questing:
New
Status in rustc-1.88 source package in Resolute:
New
Status in rustc-1.91 source package in Resolute:
New
Status in rustc-1.92 source package in Resolute:
New
Status in rustc-1.93 source package in Resolute:
New
Bug description:
A full description of this CVE can be found on the rust-lang blog[1].
Cargo incorrectly handles symlinks inside of crate tarballs downloaded
from third-party registries, allowing malicious crates to override the
source code of another crate from the same registry.
Starting with Rust 1.96.0, extracting any symlink within crate
tarballs shall be rejected, so any Rust version before that is
affected.
[1]: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rustc-1.62/+bug/2154209/+subscriptions
More information about the foundations-bugs
mailing list