Aug 4-6 · Las VegasCantina is at Black Hat USA · Booth 5200, AI ZoneBook a meeting
unix-symbolic-link-(symlink)-following

CVE-2026-5223

Cargo (Rust)

Medium

CVSS Details

CVSS Score
Medium
Vector String
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H
Weakness
CWE-61 UNIX Symbolic Link (Symlink) Following

Description

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.

Disclosure Date

Public Disclosure
May 25, 2026