Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceCVE-2026-5223

CVE-2026-5223

MEDIUM6.5

Crates in third party registries can override the cached source of other crates

Published May 25, 2026

Modified 1 weeks ago

Details

Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is medium for users of third-party registries. Users of crates.io are not affected, as crates.io forbids uploading crates containing any symlink.

References

https://blog.rust-lang.org/2026/05/25/cve-2026-5223/

https://github.com/rust-lang/cargo/pull/17031

https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8

https://www.cve.org/CVERecord?id=CVE-2026-5223

CVSS Analysis

CVSS v4.0

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

NonePR:N

User Interaction

PassiveUI:P

Vulnerable System

Vuln. Confidentiality

NoneVC:N

Vuln. Integrity

LowVI:L

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

HighSC:H

Subseq. Integrity

HighSI:H

Subseq. Availability

HighSA:H

6.5/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedMay 25, 2026

ModifiedMay 27, 2026

CVE-2026-5223 | Mondoo Vulnerability Intelligence