CVE-2026-5223: Crates in third party registries can override the cached source of other crates

Published May 25, 2026
·
Updated

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.

Affected Software

1 affected component
Rust Cargo

Remediation

Information

Rust 1.96.0, to be released on May 28th, 2026, will update Cargo to reject extracting *any* symlink within crate tarballs, regardless of whether they come from crates.io (which already forbids them) or third-party registries. Note that Cargo never added symlinks when running `cargo package` or `cargo publish`, so the impact of this should be minimal.

Event History

May 25, 2026
CVE Published
via MITRE·08:57 AM
Data Sourced
via MITRE·08:57 AM
RemedyDescriptionWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-5223?

The severity of CVE-2026-5223 is medium for users of third-party registries.

2

How do I fix CVE-2026-5223?

To fix CVE-2026-5223, update to Rust 1.96.0 or later, which will reject any symlink in crate tarballs.

3

What is the impact of CVE-2026-5223?

CVE-2026-5223 allows a malicious crate to override the source code of another crate from the same third-party registry.

4

Which software is affected by CVE-2026-5223?

CVE-2026-5223 affects Rust Cargo, particularly when using third-party registries.

5

When was CVE-2026-5223 published?

CVE-2026-5223 was published on May 25, 2026.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203