Login Sign Up

CVE-2026-25727

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in the Rust time crate allows denial of service via stack exhaustion when parsing malicious RFC 2822 date/time strings. It affects applications using time crate versions 0.3.6 through 0.3.46 that parse user-provided input with RFC 2822 format. The attack exploits deprecated RFC 2822 features rarely used in legitimate input.

💻 Affected Systems

Products:
  • Rust applications using time crate
Versions: 0.3.6 through 0.3.46
Operating Systems: All platforms running Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects parsing of RFC 2822 format date/time strings, not other formats like RFC 3339 or ISO 8601.

📦 What is this software?

Time by Time Project

View all CVEs affecting Time →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to stack exhaustion causing application crashes or system instability.

🟠

Likely Case

Service disruption through application crashes when processing maliciously crafted date/time strings.

🟢

If Mitigated

Error returned instead of stack exhaustion when recursion limit is reached (in patched versions).

🌐 Internet-Facing: MEDIUM - Requires user input parsing with RFC 2822 format, which is less common than other date formats.
🏢 Internal Only: LOW - Internal systems typically process trusted date formats, making exploitation less likely.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious RFC 2822 strings with excessive recursion using deprecated features like nested comments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.47 or later

Vendor Advisory: https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify time = "^0.3.47" or later. 2. Run 'cargo update' to fetch new version. 3. Rebuild and redeploy application. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation for RFC 2822

all

Validate or sanitize user input before parsing with RFC 2822 format

Use alternative date formats

all

Configure applications to use RFC 3339 or ISO 8601 formats instead of RFC 2822

🧯 If You Can't Patch

  • Implement strict input validation to reject RFC 2822 strings with nested comments or excessive recursion
  • Use web application firewalls or input sanitization layers to filter malicious date/time strings

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for time crate version between 0.3.6 and 0.3.46

Check Version:

grep -A2 -B2 'name = "time"' Cargo.lock

Verify Fix Applied:

Confirm time crate version is 0.3.47 or later in Cargo.lock and test parsing of RFC 2822 strings

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or panics when parsing date/time input
  • High memory usage spikes during date parsing

Network Indicators:

  • Unusually long date/time strings in HTTP headers or API requests

SIEM Query:

source="application.log" AND ("panic" OR "stack overflow") AND "date" AND "parse"

📊 Metadata

CVE ID: CVE-2026-25727
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-121
EPSS Score: 0.05% exploit probability (14.3th percentile)
Published: February 6, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25727, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)