CVE-2026-25727
February 06, 2026
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Affected Packages
https://github.com/time-rs/time.git (GITHUB):
Affected version(s) >=v0.3.6 <v0.3.47Fix Suggestion:
Update to version v0.3.47time (RUST):
Affected version(s) >=0.3.6 <0.3.47Fix Suggestion:
Update to version 0.3.47Related ResourcesĀ (9)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
ACTIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
HIGH
CVSS v3
Base Score:
5.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Stack-based Buffer Overflow
EPSS
Base Score:
0.05
