Skip to main content

Rust

20 CVEs product

Monthly

CVE-2026-32314 Cargo HIGH PATCH This Week

Rust Yamux prior to version 0.13.10 is vulnerable to denial of service when processing specially crafted inbound stream frames that combine the SYN flag with oversized body lengths, causing the connection handler to panic due to improper state cleanup. An unauthenticated remote attacker can trigger this panic over any normal Yamux session without special privileges, crashing affected applications. No patch is currently available for this high-severity vulnerability.

Rust Denial Of Service Rust Yamux
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-31814 Cargo HIGH PATCH This Week

Integer overflow in Rust's Yamux implementation allows unauthenticated remote attackers to crash target nodes by sending specially crafted WindowUpdate frames that trigger arithmetic overflow in stream send-window accounting. An attacker can establish a Yamux session and transmit malicious frames without authentication, causing a panic in the connection state machine and resulting in denial of service. A patch is available to address this high-severity vulnerability.

Denial Of Service Integer Overflow Rust
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-5791 Cargo HIGH PATCH This Week

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Rust Privilege Escalation Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-43402 HIGH PATCH This Week

Rust is a programming language. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Microsoft Rust
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-3566 CRITICAL POC Act Now

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PHP, Rust, Haskell process library, yt-dlp) that wrap the API without compensating for its quirks. Remote attackers can smuggle additional commands through arguments passed to child processes when applications spawn batch files or otherwise rely on CreateProcess's implicit cmd.exe handling. Publicly available exploit code exists and EPSS of 7.09% (92nd percentile) signals elevated, though not confirmed in-the-wild, exploitation interest; this CVE is not listed in CISA KEV.

Command Injection Microsoft Process Library Node Js PHP +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
7.1%
CVE-2024-24576 CRITICAL Act Now

Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Microsoft Fedora Rust
NVD GitHub
CVSS 3.1
10.0
EPSS
20.3%
CVE-2023-40030 Cargo MEDIUM PATCH This Month

Cargo downloads a Rust project’s dependencies and compiles the project. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Rust
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-29922 CRITICAL POC PATCH Act Now

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Rust
NVD GitHub
CVSS 3.1
9.1
EPSS
2.6%
CVE-2021-31162 CRITICAL POC PATCH Act Now

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2021-28879 CRITICAL POC PATCH Act Now

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Integer Overflow Rust Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-28878 HIGH POC PATCH This Week

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Rust Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2021-28877 HIGH PATCH This Week

In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Rust
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-28876 MEDIUM POC PATCH This Month

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust Fedora
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
CVE-2021-28875 HIGH POC PATCH This Week

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Rust
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2019-16760 Cargo HIGH POC PATCH This Week

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2019-1010299 MEDIUM POC PATCH This Month

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust
NVD GitHub
CVSS 3.1
5.3
EPSS
1.5%
CVE-2019-12083 HIGH POC This Week

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Rust Fedora Leap
NVD
CVSS 3.1
8.1
EPSS
2.2%
CVE-2018-1000810 CRITICAL Act Now

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Rust
NVD
CVSS 3.0
9.8
EPSS
3.0%
CVE-2018-1000657 HIGH PATCH This Week

Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Buffer Overflow Rust
NVD GitHub
CVSS 3.0
7.8
EPSS
0.5%
CVE-2018-1000622 HIGH This Week

The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Rust
NVD
CVSS 3.0
7.8
EPSS
1.8%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Rust Yamux prior to version 0.13.10 is vulnerable to denial of service when processing specially crafted inbound stream frames that combine the SYN flag with oversized body lengths, causing the connection handler to panic due to improper state cleanup. An unauthenticated remote attacker can trigger this panic over any normal Yamux session without special privileges, crashing affected applications. No patch is currently available for this high-severity vulnerability.

Rust Denial Of Service Rust Yamux
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Integer overflow in Rust's Yamux implementation allows unauthenticated remote attackers to crash target nodes by sending specially crafted WindowUpdate frames that trigger arithmetic overflow in stream send-window accounting. An attacker can establish a Yamux session and transmit malicious frames without authentication, causing a panic in the connection state machine and resulting in denial of service. A patch is available to address this high-severity vulnerability.

Denial Of Service Integer Overflow Rust
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Rust Privilege Escalation Red Hat +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Rust is a programming language. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Microsoft Rust
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC Act Now

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PHP, Rust, Haskell process library, yt-dlp) that wrap the API without compensating for its quirks. Remote attackers can smuggle additional commands through arguments passed to child processes when applications spawn batch files or otherwise rely on CreateProcess's implicit cmd.exe handling. Publicly available exploit code exists and EPSS of 7.09% (92nd percentile) signals elevated, though not confirmed in-the-wild, exploitation interest; this CVE is not listed in CISA KEV.

Command Injection Microsoft Process Library +4
NVD GitHub VulDB
EPSS 20% CVSS 10.0
CRITICAL Act Now

Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Microsoft Fedora +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Cargo downloads a Rust project’s dependencies and compiles the project. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Rust
NVD GitHub
EPSS 3% CVSS 9.1
CRITICAL POC PATCH Act Now

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Rust
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust Fedora
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Integer Overflow Rust +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Rust Fedora
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Rust
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust Fedora
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Rust
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration key. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rust
NVD GitHub
EPSS 2% CVSS 8.1
HIGH POC This Week

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, can violate Rust's safety guarantees and cause memory unsafety. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Rust +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contains a CWE-680: Integer Overflow to Buffer Overflow vulnerability in standard. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Rust
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Buffer Overflow Rust
NVD GitHub
EPSS 2% CVSS 7.8
HIGH This Week

The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Rust
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy