rust-lang 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには バッファオーバーフロー、vendor risk memory corruption、vendor risk cross-site scripting, and パス処理の欠陥 があり、vendor surface software deployment の利用場面で アプリケーションクラッシュ、vendor impact memory corruption, and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-5223 | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. | 986d4109-89ea-491f-99fd-a8e4803919bd | 6.5 | 0.06% | 2026-05-25 | 2026-06-01 |
| CVE-2026-5222 | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. | 986d4109-89ea-491f-99fd-a8e4803919bd | 2.3 | 0.03% | 2026-05-25 | 2026-06-01 |
| CVE-2024-43402 | Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cm | [email protected] | 8.1 | 0.51% | 2024-09-04 | 2024-10-01 |
| CVE-2024-3566 | A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | [email protected] | 9.8 | 9.61% | 2024-04-10 | 2026-05-15 |
| CVE-2024-24576 | Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrus | [email protected] | 10.0 | 80.54% | 2024-04-09 | 2026-01-05 |
| CVE-2023-40030 | Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by `cargo build --timings`. A malicious package included as a dependency may inject nearly arbitrary HTML here, potentially leading to cross-site scripting if the report is subsequently uploaded somewhere. The vulnerability affects users relying on dependencies from git, local paths, or alternative | [email protected] | 6.1 | 0.19% | 2023-08-24 | 2024-11-21 |
| CVE-2023-38497 | Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0 | [email protected] | 7.9 | 5.66% | 2023-08-04 | 2024-11-21 |
| CVE-2022-46176 | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this | [email protected] | 5.3 | 0.15% | 2023-01-11 | 2024-11-21 |
| CVE-2022-36114 | Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The v | [email protected] | 4.8 | 0.46% | 2022-09-14 | 2024-11-21 |
| CVE-2022-36113 | Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attemp | [email protected] | 4.6 | 8.94% | 2022-09-14 | 2024-11-21 |
| CVE-2022-24713 | regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amo | [email protected] | 7.5 | 10.40% | 2022-03-08 | 2024-11-21 |
| CVE-2022-21658 | Rust is a multi-paradigm, general-purpose programming language designed for performance and safety, especially safe concurrency. The Rust Security Response WG was notified that the `std::fs::remove_dir_all` standard library function is vulnerable a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete. Rust 1.0.0 through Rust 1.58.0 is affect | [email protected] | 7.3 | 0.91% | 2022-01-20 | 2024-11-21 |
| CVE-2021-29922 | library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. | [email protected] | 9.1 | 0.33% | 2021-08-07 | 2024-11-21 |
| CVE-2021-31162 | In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. | [email protected] | 9.8 | 0.74% | 2021-04-14 | 2024-11-21 |
| CVE-2020-36323 | In the standard library in Rust before 1.52.0, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked. | [email protected] | 8.2 | 1.01% | 2021-04-14 | 2024-11-21 |
| CVE-2018-25008 | In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions. | [email protected] | 5.9 | 0.21% | 2021-04-14 | 2024-11-21 |
| CVE-2017-20004 | In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions. | [email protected] | 5.9 | 0.24% | 2021-04-14 | 2024-11-21 |
| CVE-2021-28879 | In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is used again. | [email protected] | 9.8 | 1.10% | 2021-04-11 | 2024-11-21 |
| CVE-2021-28878 | In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are used together. This bug could lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. | [email protected] | 7.5 | 1.01% | 2021-04-11 | 2024-11-21 |
| CVE-2021-28877 | In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation due to an unmet safety requirement for the TrustedRandomAccess trait. | [email protected] | 7.5 | 0.27% | 2021-04-11 | 2024-11-21 |