Medium severity5.3NVD Advisory· Published May 25, 2026· Updated Jun 1, 2026
CVE-2026-5223
CVE-2026-5223
Description
Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/rust-lang/cargo/pull/17031nvdIssue TrackingPatch
- blog.rust-lang.org/2026/05/25/cve-2026-5223/nvdMitigationVendor Advisory
- groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8nvdThird Party AdvisoryMailing List
News mentions
0No linked articles in our index yet.