Public bug reported: A full description of this CVE can be found on the rust-lang blog[1].
Cargo incorrectly handles symlinks inside of crate tarballs downloaded from third-party registries, allowing malicious crates to override the source code of another crate from the same registry. Starting with Rust 1.96.0, extracting any symlink within crate tarballs shall be rejected, so any Rust version before that is affected. [1]: https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ ** Affects: rustc-1.93 (Ubuntu) Importance: Undecided Status: New ** Tags: foundations-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2154209 Title: CVE-2026-5223: Crates in third party registries can override the cached source of other crates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rustc-1.93/+bug/2154209/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
