CVE-2026-25727
MEDIUM
GHSA-r6v5-fh4h-64xc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Tags
Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Analysis
The Rust time library versions 0.3.6 through 0.3.46 are vulnerable to denial of service through stack exhaustion when processing maliciously crafted RFC 2822 formatted input. An unauthenticated attacker can trigger recursive parsing of deprecated RFC 2822 features to exhaust stack memory and crash applications using affected versions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running Rust. From 0.3.6 to and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today