Skip to main content

Time CVE-2026-25727

MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-02-06 security-advisories@github.com GHSA-r6v5-fh4h-64xc
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 24, 2026 - 15:23 nvd
Patch available
CVE Published
Feb 06, 2026 - 20:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

AnalysisAI

The Rust time library versions 0.3.6 through 0.3.46 are vulnerable to denial of service through stack exhaustion when processing maliciously crafted RFC 2822 formatted input. An unauthenticated attacker can trigger recursive parsing of deprecated RFC 2822 features to exhaust stack memory and crash applications using affected versions. A patch implementing recursion depth limits is available in version 0.3.47 and later.

Technical ContextAI

Classified as CWE-121 (Stack-based Buffer Overflow). Affects Time. time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an er

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/manager/5.0/x86_64/server-attestation:latest Affected
Container suse/multi-linux-manager/5.1/x86_64/server-attestation:5.1.2.8.15.2 Image server-attestation-image Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.61 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.28 Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.53 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.63 Affected

Share

CVE-2026-25727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy