CVE-2026-25727 is a medium-severity vulnerability affecting the time library used for date and time handling in Rust. Specifically, this vulnerability allows a denial of service attack via stack exhaustion when user-provided input is parsed with the RFC 2822 format. The affected versions of the library are from 0.3.6 up to, but not including, 0.3.47. The vulnerability exploits formally deprecated features of the RFC 2822 format in a malicious manner. Importantly, ordinary, non-malicious input will not trigger this vulnerability.
The CVSS score for this vulnerability is 6.8, indicating a medium severity level. This score reflects the potential for significant impact on the availability of the affected system, as the stack exhaustion can render the service unresponsive. Organizations using affected versions should take immediate action to address this vulnerability.
The vulnerability was disclosed on February 6, 2026, and a patch was made available with the release of version 0.3.47. Users are urged to upgrade to this version or later to prevent the possibility of exploitation. Given the potential for denial of service attacks, organizations should prioritize patching immediately.
Risk to organizations includes service interruptions that could affect availability and user experience. The attack requires low privileges and active user interaction, which makes it more likely to be exploited in scenarios where user input is processed without adequate validation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)