CVE-2026-5223

NameCVE-2026-5223
DescriptionCargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cargo (PTS)bullseye0.47.0-3vulnerable
bookworm0.66.0+ds1-1vulnerable
rust-cargo (PTS)bullseye0.43.1-4vulnerable
bookworm0.66.0-1vulnerable
trixie0.86.0-2vulnerable
forky, sid0.91.0-4fixed
rustc (PTS)bullseye1.48.0+dfsg1-2vulnerable
bookworm1.63.0+dfsg1-2vulnerable
trixie1.85.0+dfsg3-1vulnerable
forky, sid1.95.0+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cargosource(unstable)(unfixed)
rust-cargosource(unstable)0.91.0-3
rustcsource(unstable)1.95.0+dfsg1-2

Notes

[bookworm] - cargo <no-dsa> (Minor issue)
[bullseye] - cargo <postponed> (Minor issue)
[trixie] - rust-cargo <no-dsa> (Minor issue)
[bookworm] - rust-cargo <no-dsa> (Minor issue)
[bullseye] - rust-cargo <postponed> (Minor issue)
[trixie] - rustc <no-dsa> (Minor issue)
[bookworm] - rustc <no-dsa> (Minor issue)
[bullseye] - rustc <postponed> (Minor issue)
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
Search for package or bug name: Reporting problems