CVE-2026-5223
Description
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-5223 NameCVE-2026-5223 DescriptionCargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading…
CVE-2026-5223
| Name | CVE-2026-5223 |
| Description | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cargo (PTS) | bullseye | 0.47.0-3 | vulnerable |
| bookworm | 0.66.0+ds1-1 | vulnerable | |
| rust-cargo (PTS) | bullseye | 0.43.1-4 | vulnerable |
| bookworm | 0.66.0-1 | vulnerable | |
| trixie | 0.86.0-2 | vulnerable | |
| forky, sid | 0.91.0-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cargo | source | (unstable) | (unfixed) | |||
| rust-cargo | source | (unstable) | (unfixed) |
Notes
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577
check correctness of tracking
Apply commands
https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8https://blog.rust-lang.org/2026/05/25/cve-2026-5223/https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577check correctness of trackingOS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | fixed | 1.95.0+dfsg1-2 |
| debian | trixie | affected | |
| windows | affected | |
References
- https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8
- https://blog.rust-lang.org/2026/05/25/cve-2026-5223/
- https://github.com/rust-lang/cargo/pull/17031
- https://www.suse.com/security/cve/CVE-2026-5223.html
- https://security-tracker.debian.org/tracker/CVE-2026-5223
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5223
CWEs
CWE-61
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.