Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-25727 (GCVE-0-2026-25727)
Vulnerability from cvelistv5 – Published: 2026-02-06 19:20 – Updated: 2026-02-06 20:22
VLAI?
EPSS
Title
time affected by a stack exhaustion denial of service attack
Summary
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Severity ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T20:22:34.026090Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:22:58.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "time",
"vendor": "time-rs",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.6, \u003c 0.3.47"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T19:20:56.298Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"
},
{
"name": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"
},
{
"name": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
},
{
"name": "https://github.com/time-rs/time/releases/tag/v0.3.47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/time-rs/time/releases/tag/v0.3.47"
}
],
"source": {
"advisory": "GHSA-r6v5-fh4h-64xc",
"discovery": "UNKNOWN"
},
"title": "time affected by a stack exhaustion denial of service attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25727",
"datePublished": "2026-02-06T19:20:56.298Z",
"dateReserved": "2026-02-05T16:48:00.426Z",
"dateUpdated": "2026-02-06T20:22:58.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25727\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T20:16:11.860\",\"lastModified\":\"2026-02-06T21:57:22.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"references\":[{\"url\":\"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/time-rs/time/releases/tag/v0.3.47\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25727\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-06T20:22:34.026090Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-06T20:22:35.892Z\"}}], \"cna\": {\"title\": \"time affected by a stack exhaustion denial of service attack\", \"source\": {\"advisory\": \"GHSA-r6v5-fh4h-64xc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"time-rs\", \"product\": \"time\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.3.6, \u003c 0.3.47\"}]}], \"references\": [{\"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\", \"name\": \"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\", \"name\": \"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\", \"name\": \"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/time-rs/time/releases/tag/v0.3.47\", \"name\": \"https://github.com/time-rs/time/releases/tag/v0.3.47\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T19:20:56.298Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25727\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-06T20:22:58.488Z\", \"dateReserved\": \"2026-02-05T16:48:00.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T19:20:56.298Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-25727
Vulnerability from fkie_nvd - Published: 2026-02-06 20:16 - Updated: 2026-02-06 21:57
Severity ?
Summary
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack."
}
],
"id": "CVE-2026-25727",
"lastModified": "2026-02-06T21:57:22.450",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-06T20:16:11.860",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/time-rs/time/releases/tag/v0.3.47"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
OPENSUSE-SU-2026:10180-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
rustup-1.28.2~0-3.1 on GA media
Notes
Title of the patch
rustup-1.28.2~0-3.1 on GA media
Description of the patch
These are all security issues fixed in the rustup-1.28.2~0-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10180
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "rustup-1.28.2~0-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the rustup-1.28.2~0-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10180",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10180-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "rustup-1.28.2~0-3.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10180-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rustup-1.28.2~0-3.1.aarch64",
"product": {
"name": "rustup-1.28.2~0-3.1.aarch64",
"product_id": "rustup-1.28.2~0-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rustup-1.28.2~0-3.1.ppc64le",
"product": {
"name": "rustup-1.28.2~0-3.1.ppc64le",
"product_id": "rustup-1.28.2~0-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rustup-1.28.2~0-3.1.s390x",
"product": {
"name": "rustup-1.28.2~0-3.1.s390x",
"product_id": "rustup-1.28.2~0-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rustup-1.28.2~0-3.1.x86_64",
"product": {
"name": "rustup-1.28.2~0-3.1.x86_64",
"product_id": "rustup-1.28.2~0-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rustup-1.28.2~0-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rustup-1.28.2~0-3.1.aarch64"
},
"product_reference": "rustup-1.28.2~0-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rustup-1.28.2~0-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rustup-1.28.2~0-3.1.ppc64le"
},
"product_reference": "rustup-1.28.2~0-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rustup-1.28.2~0-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rustup-1.28.2~0-3.1.s390x"
},
"product_reference": "rustup-1.28.2~0-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rustup-1.28.2~0-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:rustup-1.28.2~0-3.1.x86_64"
},
"product_reference": "rustup-1.28.2~0-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.aarch64",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.ppc64le",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.s390x",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.aarch64",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.ppc64le",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.s390x",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.aarch64",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.ppc64le",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.s390x",
"openSUSE Tumbleweed:rustup-1.28.2~0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
OPENSUSE-SU-2026:10182-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
snpguest-0.10.0-2.1 on GA media
Notes
Title of the patch
snpguest-0.10.0-2.1 on GA media
Description of the patch
These are all security issues fixed in the snpguest-0.10.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10182
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "snpguest-0.10.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the snpguest-0.10.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10182",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10182-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "snpguest-0.10.0-2.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10182-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.10.0-2.1.aarch64",
"product": {
"name": "snpguest-0.10.0-2.1.aarch64",
"product_id": "snpguest-0.10.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.10.0-2.1.ppc64le",
"product": {
"name": "snpguest-0.10.0-2.1.ppc64le",
"product_id": "snpguest-0.10.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.10.0-2.1.s390x",
"product": {
"name": "snpguest-0.10.0-2.1.s390x",
"product_id": "snpguest-0.10.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "snpguest-0.10.0-2.1.x86_64",
"product": {
"name": "snpguest-0.10.0-2.1.x86_64",
"product_id": "snpguest-0.10.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.10.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:snpguest-0.10.0-2.1.aarch64"
},
"product_reference": "snpguest-0.10.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.10.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:snpguest-0.10.0-2.1.ppc64le"
},
"product_reference": "snpguest-0.10.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.10.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:snpguest-0.10.0-2.1.s390x"
},
"product_reference": "snpguest-0.10.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "snpguest-0.10.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:snpguest-0.10.0-2.1.x86_64"
},
"product_reference": "snpguest-0.10.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.aarch64",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.ppc64le",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.s390x",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.aarch64",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.ppc64le",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.s390x",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.aarch64",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.ppc64le",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.s390x",
"openSUSE Tumbleweed:snpguest-0.10.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
OPENSUSE-SU-2026:10179-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
python311-maturin-1.11.5-1.1 on GA media
Notes
Title of the patch
python311-maturin-1.11.5-1.1 on GA media
Description of the patch
These are all security issues fixed in the python311-maturin-1.11.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10179
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-maturin-1.11.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-maturin-1.11.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10179",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10179-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "python311-maturin-1.11.5-1.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10179-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-maturin-1.11.5-1.1.aarch64",
"product": {
"name": "python311-maturin-1.11.5-1.1.aarch64",
"product_id": "python311-maturin-1.11.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-maturin-1.11.5-1.1.aarch64",
"product": {
"name": "python312-maturin-1.11.5-1.1.aarch64",
"product_id": "python312-maturin-1.11.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-maturin-1.11.5-1.1.aarch64",
"product": {
"name": "python313-maturin-1.11.5-1.1.aarch64",
"product_id": "python313-maturin-1.11.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-maturin-1.11.5-1.1.ppc64le",
"product": {
"name": "python311-maturin-1.11.5-1.1.ppc64le",
"product_id": "python311-maturin-1.11.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-maturin-1.11.5-1.1.ppc64le",
"product": {
"name": "python312-maturin-1.11.5-1.1.ppc64le",
"product_id": "python312-maturin-1.11.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-maturin-1.11.5-1.1.ppc64le",
"product": {
"name": "python313-maturin-1.11.5-1.1.ppc64le",
"product_id": "python313-maturin-1.11.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-maturin-1.11.5-1.1.s390x",
"product": {
"name": "python311-maturin-1.11.5-1.1.s390x",
"product_id": "python311-maturin-1.11.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-maturin-1.11.5-1.1.s390x",
"product": {
"name": "python312-maturin-1.11.5-1.1.s390x",
"product_id": "python312-maturin-1.11.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-maturin-1.11.5-1.1.s390x",
"product": {
"name": "python313-maturin-1.11.5-1.1.s390x",
"product_id": "python313-maturin-1.11.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-maturin-1.11.5-1.1.x86_64",
"product": {
"name": "python311-maturin-1.11.5-1.1.x86_64",
"product_id": "python311-maturin-1.11.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-maturin-1.11.5-1.1.x86_64",
"product": {
"name": "python312-maturin-1.11.5-1.1.x86_64",
"product_id": "python312-maturin-1.11.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-maturin-1.11.5-1.1.x86_64",
"product": {
"name": "python313-maturin-1.11.5-1.1.x86_64",
"product_id": "python313-maturin-1.11.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-maturin-1.11.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.aarch64"
},
"product_reference": "python311-maturin-1.11.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-maturin-1.11.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.ppc64le"
},
"product_reference": "python311-maturin-1.11.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-maturin-1.11.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.s390x"
},
"product_reference": "python311-maturin-1.11.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-maturin-1.11.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.x86_64"
},
"product_reference": "python311-maturin-1.11.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-maturin-1.11.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.aarch64"
},
"product_reference": "python312-maturin-1.11.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-maturin-1.11.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.ppc64le"
},
"product_reference": "python312-maturin-1.11.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-maturin-1.11.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.s390x"
},
"product_reference": "python312-maturin-1.11.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-maturin-1.11.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.x86_64"
},
"product_reference": "python312-maturin-1.11.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-maturin-1.11.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.aarch64"
},
"product_reference": "python313-maturin-1.11.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-maturin-1.11.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.ppc64le"
},
"product_reference": "python313-maturin-1.11.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-maturin-1.11.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.s390x"
},
"product_reference": "python313-maturin-1.11.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-maturin-1.11.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.x86_64"
},
"product_reference": "python313-maturin-1.11.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python311-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python312-maturin-1.11.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.s390x",
"openSUSE Tumbleweed:python313-maturin-1.11.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
OPENSUSE-SU-2026:10175-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
cargo-audit-0.22.1~git0.efcde93-2.1 on GA media
Notes
Title of the patch
cargo-audit-0.22.1~git0.efcde93-2.1 on GA media
Description of the patch
These are all security issues fixed in the cargo-audit-0.22.1~git0.efcde93-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10175
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cargo-audit-0.22.1~git0.efcde93-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cargo-audit-0.22.1~git0.efcde93-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10175",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10175-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "cargo-audit-0.22.1~git0.efcde93-2.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10175-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"product": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"product_id": "cargo-audit-0.22.1~git0.efcde93-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"product": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"product_id": "cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"product": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"product_id": "cargo-audit-0.22.1~git0.efcde93-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.x86_64",
"product": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.x86_64",
"product_id": "cargo-audit-0.22.1~git0.efcde93-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.aarch64"
},
"product_reference": "cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le"
},
"product_reference": "cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.s390x"
},
"product_reference": "cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.22.1~git0.efcde93-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.x86_64"
},
"product_reference": "cargo-audit-0.22.1~git0.efcde93-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.22.1~git0.efcde93-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
OPENSUSE-SU-2026:10181-1
Vulnerability from csaf_opensuse - Published: 2026-02-11 00:00 - Updated: 2026-02-11 00:00Summary
sccache-0.13.0~1-2.1 on GA media
Notes
Title of the patch
sccache-0.13.0~1-2.1 on GA media
Description of the patch
These are all security issues fixed in the sccache-0.13.0~1-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2026-10181
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "sccache-0.13.0~1-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the sccache-0.13.0~1-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10181",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10181-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "sccache-0.13.0~1-2.1 on GA media",
"tracking": {
"current_release_date": "2026-02-11T00:00:00Z",
"generator": {
"date": "2026-02-11T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10181-1",
"initial_release_date": "2026-02-11T00:00:00Z",
"revision_history": [
{
"date": "2026-02-11T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "sccache-0.13.0~1-2.1.aarch64",
"product": {
"name": "sccache-0.13.0~1-2.1.aarch64",
"product_id": "sccache-0.13.0~1-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "sccache-0.13.0~1-2.1.ppc64le",
"product": {
"name": "sccache-0.13.0~1-2.1.ppc64le",
"product_id": "sccache-0.13.0~1-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "sccache-0.13.0~1-2.1.s390x",
"product": {
"name": "sccache-0.13.0~1-2.1.s390x",
"product_id": "sccache-0.13.0~1-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "sccache-0.13.0~1-2.1.x86_64",
"product": {
"name": "sccache-0.13.0~1-2.1.x86_64",
"product_id": "sccache-0.13.0~1-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "sccache-0.13.0~1-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sccache-0.13.0~1-2.1.aarch64"
},
"product_reference": "sccache-0.13.0~1-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sccache-0.13.0~1-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sccache-0.13.0~1-2.1.ppc64le"
},
"product_reference": "sccache-0.13.0~1-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sccache-0.13.0~1-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sccache-0.13.0~1-2.1.s390x"
},
"product_reference": "sccache-0.13.0~1-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "sccache-0.13.0~1-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:sccache-0.13.0~1-2.1.x86_64"
},
"product_reference": "sccache-0.13.0~1-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.aarch64",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.ppc64le",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.s390x",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.aarch64",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.ppc64le",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.s390x",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.aarch64",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.ppc64le",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.s390x",
"openSUSE Tumbleweed:sccache-0.13.0~1-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-11T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0514-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:57 - Updated: 2026-02-13 14:57Summary
Security update for cargo-auditable
Notes
Title of the patch
Security update for cargo-auditable
Description of the patch
This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
- Update to version 0.6.4~0:
* Release cargo-auditable v0.6.4
* Correctly attribute changelog file addition in changelog
* Add changelog for auditable-extract
* Verify various feature combinations in CI
* Upgrade wasmparser to remove dependencies with `unsafe`
* Add LoongArch support
* cargo fmt
* Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages
* Expand on the note about WebAssembly parsing
* Populate changelogs
* Resume bragging about all dependencies being safe, now that there is a caveat below
* drop fuzz Cargo.lock to always fuzz against latest versions
* Bump `cargo auditable` version
* Mention WASM support in README
* Revert 'Be super duper extra sure both MinGW and MSVC are tested on CI'
* Be super duper extra sure both MinGW and MSVC are tested on CI
* Add wasm32 targets to CI for more platforms
* Don't pass --target twice in tests
* Install WASM toolchain in CI
* cargo fmt
* Add WASM end-to-end test
* cargo fmt
* Update documentation to mention the WASM feature
* cargo fmt
* Plumb WASM parsing feature through the whole stack
* Make WASM parsing an optional, non-default feature
* Add a fuzzing harness for WASM parsing
* Rewritten WASM parsing to avoid heap allocations
* Initial WASM extraction support
* Nicer assertion
* Drop obsolete comment
* Clarify that embedding the compiler version has shipped.
* Fixed section name for WASM
* Unified and more robust platform detection. Fixed wasm build process
* Initial WASM support
* More robust platform detection for picking the binary format
* Fix Windows CI to run both -msvc and -gnu
* Use the correct link.exe flag for preserving the specified symbol even if it is unused
* Fix Windows
* Fix tests on Rust 1.77
* Placate clippy
* Oopps, I meant components field
* Also remove the dependencies field if empty
* Use serde_json with order preservation feature to get a more compressible JSON after workarounds
* Work around cyclonedx-bom limitations to produce minified JSON
* Also record the dependency kind
* cyclonedx-bom: also record PURL
* Also write the dependency tree
* Clear the serial number in the minimal CycloneDX variant
* Prototype impl of auditable2cdx
* Fill in auditable2cdx dependencies
* Initial auditable2cdx boilerplace
* add #![forbid(unsafe_code)]
* Initial implementation of auditable-to-cyclonedx conversion
* Add the necessary dependencies to auditable-cyclonedx
* Initial dummy package for auditable-cyclonedx
- Update to version 0.6.2~0:
* Update the lockfile
* New releases of cargo-auditable and auditable-serde
* Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions
* Revert 'add commit hashes to git sources'
* Fix cyclic dependency graph being encoded
* Revert 'An unsuccessful attempt to fix cycles caused by dev-dependencies'
* An unsuccessful attempt to fix cycles caused by dev-dependencies
* Fix typo
* Add comment
* Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043
* Fix auditable-serde example not building
* upgrade dependency miniz_oxide to 0.6.0
* fix formatting errors
* apply clippy lints for --all-features
* improve the internal docs and comments
* apply clippy lints
* add missing sources for one of test fixtures
* add commit hashes to git sources
* Run all tests on CI
* cargo fmt
* Run `cargo clean` in tests to get rid of stale binaries
* Fix date in changelog
* Populate changelog
* Bump auditable-info version in rust-audit-info
* Add auditable-info changelog
* Bump versions following cargo-lock bump
* auditable-serde: bump `cargo-lock` to v9
* switch to UNRELEASED
* Update CHANGELOG.md
* Print a better error if calling rustc fails
* Drop unused import
* placate Clippy
* Don't inject audit info if --print argument is passed to rustc
* Reflect the version change in Cargo.lock
* Remove space from keywords
* bump version to 0.6.1
* Fix date in changelog
* Update CHANGELOG.md
* Add publish=false
* Commit the generated manpage
* Add the code for generating a manpage; rather rudimentary so far, but it's a starting point
* Explain relation to supply chain attacks
* Add keywords to the Cargo manifest
* Revert 'generate a man page for cargo auditable'
* fix formatting
* fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file
* generate a man page for cargo auditable
* Add Clippy suppression
* placate clippy
* commit Cargo.lock
* Sync to latest object file writing code from rustc
* Fix examples in docs
* Allow redundant field names
* Apply clippy suggestion: match -> if let
* Check for clippy and format in CI
* Apply clippy suggestions
* Run CI with --locked
- Update to version 0.6.0~0:
* README and documentation improvements
* Read the rustc path passed by Cargo; fixes #90
* Read location of Cargo from the environment variable Cargo sets for third-party subcommands
* Add a note on sccache version compatibility to CHANGELOG.md
* Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error
* Specifying the binary-scanning feature is no longer needed
* Pass options such as --offline to `cargo metadata`
* Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83
* Bump rust-audit-info to 0.5.2
* Bump auditable-serde version to 0.5.2
* Correctly fill in the source even in dependency entries when converting to cargo-lock data format
* Drop the roundtrip through str in semver::Version
* Release auditable-info 0.6.1
* Bump all the version requirements for things depending on auditable-info
* Fix audit_info_from_slice function signature
Patchnames
SUSE-2026-514,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n\n- Update to version 0.6.4~0:\n\n * Release cargo-auditable v0.6.4\n * Correctly attribute changelog file addition in changelog\n * Add changelog for auditable-extract\n * Verify various feature combinations in CI\n * Upgrade wasmparser to remove dependencies with `unsafe`\n * Add LoongArch support\n * cargo fmt\n * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages\n * Expand on the note about WebAssembly parsing\n * Populate changelogs\n * Resume bragging about all dependencies being safe, now that there is a caveat below\n * drop fuzz Cargo.lock to always fuzz against latest versions\n * Bump `cargo auditable` version\n * Mention WASM support in README\n * Revert \u0027Be super duper extra sure both MinGW and MSVC are tested on CI\u0027\n * Be super duper extra sure both MinGW and MSVC are tested on CI\n * Add wasm32 targets to CI for more platforms\n * Don\u0027t pass --target twice in tests\n * Install WASM toolchain in CI\n * cargo fmt\n * Add WASM end-to-end test\n * cargo fmt\n * Update documentation to mention the WASM feature\n * cargo fmt\n * Plumb WASM parsing feature through the whole stack\n * Make WASM parsing an optional, non-default feature\n * Add a fuzzing harness for WASM parsing\n * Rewritten WASM parsing to avoid heap allocations\n * Initial WASM extraction support\n * Nicer assertion\n * Drop obsolete comment\n * Clarify that embedding the compiler version has shipped.\n * Fixed section name for WASM\n * Unified and more robust platform detection. Fixed wasm build process\n * Initial WASM support\n * More robust platform detection for picking the binary format\n * Fix Windows CI to run both -msvc and -gnu\n * Use the correct link.exe flag for preserving the specified symbol even if it is unused\n * Fix Windows\n * Fix tests on Rust 1.77\n * Placate clippy\n * Oopps, I meant components field\n * Also remove the dependencies field if empty\n * Use serde_json with order preservation feature to get a more compressible JSON after workarounds\n * Work around cyclonedx-bom limitations to produce minified JSON\n * Also record the dependency kind\n * cyclonedx-bom: also record PURL\n * Also write the dependency tree\n * Clear the serial number in the minimal CycloneDX variant\n * Prototype impl of auditable2cdx\n * Fill in auditable2cdx dependencies\n * Initial auditable2cdx boilerplace\n * add #![forbid(unsafe_code)]\n * Initial implementation of auditable-to-cyclonedx conversion\n * Add the necessary dependencies to auditable-cyclonedx\n * Initial dummy package for auditable-cyclonedx\n\n- Update to version 0.6.2~0:\n\n * Update the lockfile\n * New releases of cargo-auditable and auditable-serde\n * Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions\n * Revert \u0027add commit hashes to git sources\u0027\n * Fix cyclic dependency graph being encoded\n * Revert \u0027An unsuccessful attempt to fix cycles caused by dev-dependencies\u0027\n * An unsuccessful attempt to fix cycles caused by dev-dependencies\n * Fix typo\n * Add comment\n * Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043\n * Fix auditable-serde example not building\n * upgrade dependency miniz_oxide to 0.6.0\n * fix formatting errors\n * apply clippy lints for --all-features\n * improve the internal docs and comments\n * apply clippy lints\n * add missing sources for one of test fixtures\n * add commit hashes to git sources\n * Run all tests on CI\n * cargo fmt\n * Run `cargo clean` in tests to get rid of stale binaries\n * Fix date in changelog\n * Populate changelog\n * Bump auditable-info version in rust-audit-info\n * Add auditable-info changelog\n * Bump versions following cargo-lock bump\n * auditable-serde: bump `cargo-lock` to v9\n * switch to UNRELEASED\n * Update CHANGELOG.md\n * Print a better error if calling rustc fails\n * Drop unused import\n * placate Clippy\n * Don\u0027t inject audit info if --print argument is passed to rustc\n * Reflect the version change in Cargo.lock\n * Remove space from keywords\n * bump version to 0.6.1\n * Fix date in changelog\n * Update CHANGELOG.md\n * Add publish=false\n * Commit the generated manpage\n * Add the code for generating a manpage; rather rudimentary so far, but it\u0027s a starting point\n * Explain relation to supply chain attacks\n * Add keywords to the Cargo manifest\n * Revert \u0027generate a man page for cargo auditable\u0027\n * fix formatting\n * fix review feedback, relocate file to under OUT_DIR, don\u0027t use anyhow and also commit the lock file\n * generate a man page for cargo auditable\n * Add Clippy suppression\n * placate clippy\n * commit Cargo.lock\n * Sync to latest object file writing code from rustc\n * Fix examples in docs\n * Allow redundant field names\n * Apply clippy suggestion: match -\u003e if let\n * Check for clippy and format in CI\n * Apply clippy suggestions\n * Run CI with --locked\n\n- Update to version 0.6.0~0:\n\n * README and documentation improvements \n * Read the rustc path passed by Cargo; fixes #90\n * Read location of Cargo from the environment variable Cargo sets for third-party subcommands\n * Add a note on sccache version compatibility to CHANGELOG.md\n * Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error\n * Specifying the binary-scanning feature is no longer needed\n * Pass options such as --offline to `cargo metadata`\n * Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83\n * Bump rust-audit-info to 0.5.2\n * Bump auditable-serde version to 0.5.2\n * Correctly fill in the source even in dependency entries when converting to cargo-lock data format\n * Drop the roundtrip through str in semver::Version\n * Release auditable-info 0.6.1\n * Bump all the version requirements for things depending on auditable-info\n * Fix audit_info_from_slice function signature\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-514,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-514,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-514,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-514",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0514-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0514-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260514-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0514-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024235.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:57:18Z",
"generator": {
"date": "2026-02-13T14:57:18Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0514-1",
"initial_release_date": "2026-02-13T14:57:18Z",
"revision_history": [
{
"date": "2026-02-13T14:57:18Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP4-LTSS:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:cargo-auditable-0.7.2~0-150300.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:57:18Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0506-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:32 - Updated: 2026-02-13 14:32Summary
Security update for cargo-auditable
Notes
Title of the patch
Security update for cargo-auditable
Description of the patch
This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
Patchnames
SUSE-2026-506,SUSE-SLE-Module-Development-Tools-15-SP7-2026-506
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-506,SUSE-SLE-Module-Development-Tools-15-SP7-2026-506",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0506-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0506-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260506-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0506-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024238.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:32:17Z",
"generator": {
"date": "2026-02-13T14:32:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0506-1",
"initial_release_date": "2026-02-13T14:32:17Z",
"revision_history": [
{
"date": "2026-02-13T14:32:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64 as component of SUSE Linux Enterprise Module for Development Tools 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150700.3.5.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.aarch64",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.ppc64le",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.s390x",
"SUSE Linux Enterprise Module for Development Tools 15 SP7:cargo-auditable-0.7.2~0-150700.3.5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:32:17Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
SUSE-SU-2026:0505-1
Vulnerability from csaf_suse - Published: 2026-02-13 14:31 - Updated: 2026-02-13 14:31Summary
Security update for cargo-auditable
Notes
Title of the patch
Security update for cargo-auditable
Description of the patch
This update for cargo-auditable fixes the following issues:
Update to version 0.7.2~0.
Security issues fixed:
- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257906).
Other updates and bugfixes:
- Update to version 0.7.2~0:
* mention cargo-dist in README
* commit Cargo.lock
* bump which dev-dependency to 8.0.0
* bump object to 0.37
* Upgrade cargo_metadata to 0.23
* Expand the set of dist platforms in config
- Update to version 0.7.1~0:
* Out out of unhelpful clippy lint
* Satisfy clippy
* Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
* Run apt-get update before trying to install packages
* run `cargo dist init` on dist 0.30
* Drop allow-dirty from dist config, should no longer be needed
* Reorder paragraphs in README
* Note the maintenance transition for the go extraction library
* Editing pass on the adopters: scanners
* clarify Docker support
* Cargo clippy fix
* Add Wolfi OS and Chainguard to adopters
* Update mentions around Anchore tooling
* README and documentation updates for nightly
* Bump dependency version in rust-audit-info
* More work on docs
* Nicer formatting on format revision documentation
* Bump versions
* regenerate JSON schema
* cargo fmt
* Document format field
* Make it more clear that RawVersionInfo is private
* Add format field to the serialized data
* cargo clippy fix
* Add special handling for proc macros to treat them as the build dependencies they are
* Add a test to ensure proc macros are reported as build dependencies
* Add a test fixture for a crate with a proc macro dependency
* parse fully qualified package ID specs from SBOMs
* select first discovered SBOM file
* cargo sbom integration
* Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
* Don't fail plan workflow due to manually changed release.yml
* Bump Ubuntu version to hopefully fix release.yml workflow
* Add test for stripped binary
* Bump version to 0.6.7
* Populate changelog
* README.md: add auditable2cdx, more consistency in text
* Placate clippy
* Do not emit -Wl if a bare linker is in use
* Get rid of a compiler warning
* Add bare linker detection function
* drop boilerplate from test that's no longer relevant
* Add support for recovering rustc codegen options
* More lenient parsing of rustc arguments
* More descriptive error message in case rustc is killed abruptly
* change formatting to fit rustfmt
* More descriptive error message in case cargo is killed
* Update REPLACING_CARGO.md to fix #195
* Clarify osv-scanner support in README
* Include the command required to view metadata
* Mention wasm-tools support
* Switch from broken generic cache action to a Rust-specific one
* Fill in various fields in auditable2cdx Cargo.toml
* Include osv-scanner in the list, with a caveat
* Add link to blint repo to README
* Mention that blint supports our data
* Consolidate target definitions
* Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
* Migrate to a maintained toolchain action
* Fix author specification
* Add link to repository to resolverver Cargo.toml
* Bump resolverver to 0.1.0
* Add resolverver crate to the tree
- Update to version 0.6.6~0:
* Note the `object` upgrade in the changelog
* Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
* Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
* Update dependencies in the lock file
* Populate changelog
* apply clippy lint
* add another --emit parsing test
* shorter code with cargo fmt
* Actually fix cargo-c compatibility
* Attempt to fix cargo-capi incompatibility
* Refactoring in preparation for fixes
* Also read the --emit flag to rustc
* Fill in changelogs
* Bump versions
* Drop cfg'd out tests
* Drop obsolete doc line
* Move dependency cycle tests from auditable-serde to cargo-auditable crate
* Remove cargo_metadata from auditable-serde API surface.
* Apply clippy lint
* Upgrade miniz_oxide to 0.8.0
* Insulate our semver from miniz_oxide semver
* Add support for Rust 2024 edition
* Update tests
* More robust OS detection for riscv feature detection
* bump version
* update changelog for auditable-extract 0.3.5
* Fix wasm component auditable data extraction
* Update blocker description in README.md
* Add openSUSE to adopters
* Update list of know adopters
* Fix detection of `riscv64-linux-android` target features
* Silence noisy lint
* Bump version requirement in rust-audit-info
* Fill in changelogs
* Bump semver of auditable-info
* Drop obsolete comment now that wasm is enabled by default
* Remove dependency on cargo-lock
* Brag about adoption in the README
* Don't use LTO for cargo-dist builds to make them consistent with `cargo install` etc
* Also build musl binaries
* dist: update dist config for future releases
* dist(cargo-auditable): ignore auditable2cdx for now
* chore: add cargo-dist
Patchnames
SUSE-2026-505,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-505,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-505,openSUSE-SLE-15.6-2026-505
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-auditable",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-auditable fixes the following issues:\n\nUpdate to version 0.7.2~0.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n (bsc#1257906).\n\nOther updates and bugfixes:\n\n- Update to version 0.7.2~0:\n\n * mention cargo-dist in README\n * commit Cargo.lock\n * bump which dev-dependency to 8.0.0\n * bump object to 0.37\n * Upgrade cargo_metadata to 0.23\n * Expand the set of dist platforms in config\n\n- Update to version 0.7.1~0:\n\n * Out out of unhelpful clippy lint\n * Satisfy clippy\n * Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren\u0027t\n * Run apt-get update before trying to install packages\n * run `cargo dist init` on dist 0.30\n * Drop allow-dirty from dist config, should no longer be needed\n * Reorder paragraphs in README\n * Note the maintenance transition for the go extraction library\n * Editing pass on the adopters: scanners\n * clarify Docker support\n * Cargo clippy fix\n * Add Wolfi OS and Chainguard to adopters\n * Update mentions around Anchore tooling\n * README and documentation updates for nightly\n * Bump dependency version in rust-audit-info\n * More work on docs\n * Nicer formatting on format revision documentation\n * Bump versions\n * regenerate JSON schema\n * cargo fmt\n * Document format field\n * Make it more clear that RawVersionInfo is private\n * Add format field to the serialized data\n * cargo clippy fix\n * Add special handling for proc macros to treat them as the build dependencies they are\n * Add a test to ensure proc macros are reported as build dependencies\n * Add a test fixture for a crate with a proc macro dependency\n * parse fully qualified package ID specs from SBOMs\n * select first discovered SBOM file\n * cargo sbom integration\n * Get rid of unmaintained wee_alloc in test code to make people\u0027s scanners misled by GHSA chill out\n * Don\u0027t fail plan workflow due to manually changed release.yml\n * Bump Ubuntu version to hopefully fix release.yml workflow\n * Add test for stripped binary\n * Bump version to 0.6.7\n * Populate changelog\n * README.md: add auditable2cdx, more consistency in text\n * Placate clippy\n * Do not emit -Wl if a bare linker is in use\n * Get rid of a compiler warning\n * Add bare linker detection function\n * drop boilerplate from test that\u0027s no longer relevant\n * Add support for recovering rustc codegen options\n * More lenient parsing of rustc arguments\n * More descriptive error message in case rustc is killed abruptly\n * change formatting to fit rustfmt\n * More descriptive error message in case cargo is killed\n * Update REPLACING_CARGO.md to fix #195\n * Clarify osv-scanner support in README\n * Include the command required to view metadata\n * Mention wasm-tools support\n * Switch from broken generic cache action to a Rust-specific one\n * Fill in various fields in auditable2cdx Cargo.toml\n * Include osv-scanner in the list, with a caveat\n * Add link to blint repo to README\n * Mention that blint supports our data\n * Consolidate target definitions\n * Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that\n * Migrate to a maintained toolchain action\n * Fix author specification\n * Add link to repository to resolverver Cargo.toml\n * Bump resolverver to 0.1.0\n * Add resolverver crate to the tree\n\n- Update to version 0.6.6~0:\n\n * Note the `object` upgrade in the changelog\n * Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx\n * Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint\n * Update dependencies in the lock file\n * Populate changelog\n * apply clippy lint\n * add another --emit parsing test\n * shorter code with cargo fmt\n * Actually fix cargo-c compatibility\n * Attempt to fix cargo-capi incompatibility\n * Refactoring in preparation for fixes\n * Also read the --emit flag to rustc\n * Fill in changelogs\n * Bump versions\n * Drop cfg\u0027d out tests\n * Drop obsolete doc line\n * Move dependency cycle tests from auditable-serde to cargo-auditable crate\n * Remove cargo_metadata from auditable-serde API surface.\n * Apply clippy lint\n * Upgrade miniz_oxide to 0.8.0\n * Insulate our semver from miniz_oxide semver\n * Add support for Rust 2024 edition\n * Update tests\n * More robust OS detection for riscv feature detection\n * bump version\n * update changelog for auditable-extract 0.3.5\n * Fix wasm component auditable data extraction\n * Update blocker description in README.md\n * Add openSUSE to adopters\n * Update list of know adopters\n * Fix detection of `riscv64-linux-android` target features\n * Silence noisy lint\n * Bump version requirement in rust-audit-info\n * Fill in changelogs\n * Bump semver of auditable-info\n * Drop obsolete comment now that wasm is enabled by default\n * Remove dependency on cargo-lock\n * Brag about adoption in the README\n * Don\u0027t use LTO for cargo-dist builds to make them consistent with `cargo install` etc\n * Also build musl binaries\n * dist: update dist config for future releases\n * dist(cargo-auditable): ignore auditable2cdx for now\n * chore: add cargo-dist\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-505,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-505,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-505,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-505,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-505,openSUSE-SLE-15.6-2026-505",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0505-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0505-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260505-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0505-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024243.html"
},
{
"category": "self",
"summary": "SUSE Bug 1257906",
"url": "https://bugzilla.suse.com/1257906"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25727 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25727/"
}
],
"title": "Security update for cargo-auditable",
"tracking": {
"current_release_date": "2026-02-13T14:31:50Z",
"generator": {
"date": "2026-02-13T14:31:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0505-1",
"initial_release_date": "2026-02-13T14:31:50Z",
"revision_history": [
{
"date": "2026-02-13T14:31:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.i586",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.i586",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"product": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"product_id": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp6"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
},
"product_reference": "cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25727",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25727"
}
],
"notes": [
{
"category": "general",
"text": "time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25727",
"url": "https://www.suse.com/security/cve/CVE-2026-25727"
},
{
"category": "external",
"summary": "SUSE Bug 1257901 for CVE-2026-25727",
"url": "https://bugzilla.suse.com/1257901"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP5-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"SUSE Linux Enterprise Server 15 SP6-LTSS:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"SUSE Linux Enterprise Server for SAP Applications 15 SP6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.aarch64",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.ppc64le",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.s390x",
"openSUSE Leap 15.6:cargo-auditable-0.7.2~0-150500.12.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-13T14:31:50Z",
"details": "important"
}
],
"title": "CVE-2026-25727"
}
]
}
GHSA-R6V5-FH4H-64XC
Vulnerability from github – Published: 2026-02-05 17:57 – Updated: 2026-02-06 21:43
VLAI?
Summary
time vulnerable to stack exhaustion Denial of Service attack
Details
Impact
When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.
Patches
A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Workarounds
Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "time"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.6"
},
{
"fixed": "0.3.47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25727"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T17:57:55Z",
"nvd_published_at": "2026-02-06T20:16:11Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.",
"id": "GHSA-r6v5-fh4h-64xc",
"modified": "2026-02-06T21:43:22Z",
"published": "2026-02-05T17:57:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25727"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/time-rs/time"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"
},
{
"type": "WEB",
"url": "https://github.com/time-rs/time/releases/tag/v0.3.47"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0009.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "time vulnerable to stack exhaustion Denial of Service attack"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…