CVE-2026-5223 is a medium-severity vulnerability in Cargo affecting crate tarballs downloaded from third-party registries. Cargo incorrectly handled symlinks embedded in crate tarballs during extraction into the local Cargo cache under ~/.cargo. Although Cargo had protections intended to prevent extraction outside a crate’s own cache directory, a malicious tarball could be crafted so that files were extracted one level below its intended cache directory via symlink abuse, allowing the malicious crate to overwrite the cached source code of another crate from the same registry. This can cause subsequent builds to consume attacker-controlled source in place of the legitimate dependency. The issue affects Cargo versions shipped before Rust 1.96.0. Users of crates.io are not affected because crates.io already rejects crates containing symlinks.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A medium severity vulnerability affecting users of third-party registries involving extraction of crate tarballs with symlinks.
A Cargo vulnerability in handling symlinks inside crate tarballs from third-party registries that can allow a malicious crate to overwrite another crate's cached source code from the same registry.
A vulnerability in Cargo that could allow crate package name confusion/substitution, causing a package to be fetched from an unintended source under certain conditions.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.