CVE-2026-25727 MEDIUM

CVE-2026-25727: time affected by a stack exhaustion denial of service attack

Vendor Time-Rs
Product time
Weakness CWE-121
Published February 6, 2026
Last update February 6, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

What the vulnerability does

01Description

time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Key dates

02Disclosure timeline

February 6, 2026 CVE published
February 6, 2026 Record updated