time affected by a stack exhaustion denial of service attack
Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-25727: Stack exhaustion DoS in Rust `time` crate's RFC 2822 parsing (0.3.6 to <0.3.47) via crafted input; fixed in v0.3.47.
The vulnerability resides in the RFC 2822 date-time parser of the Rust time crate. Prior to version 0.3.47, the parser performed unbounded recursion when processing certain malformed inputs, specifically those exploiting deprecated and rarely-used features of the RFC 2822 format. This design flaw allowed an attacker to craft input that would cause the parser to recurse uncontrollably, leading to stack exhaustion [1][2].
Exploitation requires the attacker to provide user-controlled input to any function that parses strings using the RFC 2822 format. The input must be crafted to trigger the recursive behavior; ordinary, non-malicious input does not cause this issue. The attack can be mounted over the network, and while user interaction is required (e.g., submitting the input to a service), the attacker does not need elevated privileges [3].
A successful attack results in a denial of service via stack exhaustion, crashing the affected application. The CVSSv4 score is 6.8 (Medium), with high impact on availability for both the vulnerable system and subsequent systems, but no impact on confidentiality or integrity [3].
The vulnerability affects time versions 0.3.6 through 0.3.46. The maintainers released version 0.3.47 on 2026-02-05, which fixes the issue by adding a recursion depth limit. When the limit is exceeded, the parser returns an error instead of crashing [1][2]. Users are advised to upgrade to v0.3.47 or later.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
timecrates.io | >= 0.3.6, < 0.3.47 | 0.3.47 |
Affected products
2- time-rs/timev5Range: >= 0.3.6, < 0.3.47
Patches
11c63dc7985b8Avoid denial of service when parsing Rfc2822
1 file changed · +16 −5
time/src/parsing/combinator/rfc/rfc2822.rs+16 −5 modified@@ -8,6 +8,8 @@ use crate::parsing::ParsedItem; use crate::parsing::combinator::rfc::rfc2234::wsp; use crate::parsing::combinator::{ascii_char, one_or_more, zero_or_more}; +const DEPTH_LIMIT: u8 = 32; + /// Consume the `fws` rule. // The full rule is equivalent to /\r\n[ \t]+|[ \t]+(?:\r\n[ \t]+)*/ #[inline] @@ -27,15 +29,24 @@ pub(crate) fn fws(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { // The full rule is equivalent to any combination of `fws` and `comment` so long as it is not empty. #[inline] pub(crate) fn cfws(input: &[u8]) -> Option<ParsedItem<'_, ()>> { - one_or_more(|input| fws(input).or_else(|| comment(input)))(input) + one_or_more(|input| fws(input).or_else(|| comment(input, 1)))(input) } /// Consume the `comment` rule. #[inline] -fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { +fn comment(mut input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> { + // Avoid stack exhaustion DoS by limiting recursion depth. This will cause highly-nested + // comments to fail parsing, but comments *at all* are incredibly rare in practice. + // + // The error from this will not be descriptive, but the rarity and near-certain maliciousness of + // such inputs makes this an acceptable trade-off. + if depth == DEPTH_LIMIT { + return None; + } + input = ascii_char::<b'('>(input)?.into_inner(); input = zero_or_more(fws)(input).into_inner(); - while let Some(rest) = ccontent(input) { + while let Some(rest) = ccontent(input, depth + 1) { input = rest.into_inner(); input = zero_or_more(fws)(input).into_inner(); } @@ -46,10 +57,10 @@ fn comment(mut input: &[u8]) -> Option<ParsedItem<'_, ()>> { /// Consume the `ccontent` rule. #[inline] -fn ccontent(input: &[u8]) -> Option<ParsedItem<'_, ()>> { +fn ccontent(input: &[u8], depth: u8) -> Option<ParsedItem<'_, ()>> { ctext(input) .or_else(|| quoted_pair(input)) - .or_else(|| comment(input)) + .or_else(|| comment(input, depth)) } /// Consume the `ctext` rule.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r6v5-fh4h-64xcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25727ghsaADVISORY
- github.com/time-rs/time/blob/main/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841eeghsax_refsource_MISCWEB
- github.com/time-rs/time/releases/tag/v0.3.47ghsax_refsource_MISCWEB
- github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xcghsax_refsource_CONFIRMWEB
- rustsec.org/advisories/RUSTSEC-2026-0009.htmlghsaWEB
News mentions
0No linked articles in our index yet.