CVE-2026-25727
Publication date 6 February 2026
Last updated 11 February 2026
Ubuntu priority
Description
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rust-time | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-25727
- https://rustsec.org/advisories/RUSTSEC-2026-0009.html
- https://github.com/advisories/GHSA-r6v5-fh4h-64xc
- https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
- https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee
- https://github.com/time-rs/time/releases/tag/v0.3.47
- https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc