{"id":"CVE-2026-25727","summary":"time affected by a stack exhaustion denial of service attack","details":"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.","aliases":["GHSA-r6v5-fh4h-64xc","RUSTSEC-2026-0009"],"modified":"2026-04-30T12:13:41.642077Z","published":"2026-02-06T19:20:56.298Z","related":["CGA-cq26-69jv-qp5c","SUSE-FU-2026:20990-1","SUSE-SU-2026:0452-1","SUSE-SU-2026:0453-1","SUSE-SU-2026:0470-1","SUSE-SU-2026:0505-1","SUSE-SU-2026:0506-1","SUSE-SU-2026:0514-1","SUSE-SU-2026:0582-1","SUSE-SU-2026:0620-1","SUSE-SU-2026:0806-1","SUSE-SU-2026:0816-1","SUSE-SU-2026:0819-1","SUSE-SU-2026:0860-1","SUSE-SU-2026:1361-1","SUSE-SU-2026:1599-1","SUSE-SU-2026:20526-1","SUSE-SU-2026:20534-1","SUSE-SU-2026:20575-1","SUSE-SU-2026:20661-1","SUSE-SU-2026:20684-1","SUSE-SU-2026:20723-1","SUSE-SU-2026:20744-1","SUSE-SU-2026:20748-1","SUSE-SU-2026:21275-1","SUSE-SU-2026:21377-1","openSUSE-FU-2026:20453-1","openSUSE-SU-2026:10170-1","openSUSE-SU-2026:10172-1","openSUSE-SU-2026:10175-1","openSUSE-SU-2026:10179-1","openSUSE-SU-2026:10180-1","openSUSE-SU-2026:10181-1","openSUSE-SU-2026:10182-1","openSUSE-SU-2026:10184-1","openSUSE-SU-2026:10185-1","openSUSE-SU-2026:10202-1","openSUSE-SU-2026:10308-1","openSUSE-SU-2026:20245-1","openSUSE-SU-2026:20326-1","openSUSE-SU-2026:20364-1","openSUSE-SU-2026:20377-1","openSUSE-SU-2026:20380-1","openSUSE-SU-2026:20610-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25727.json","cwe_ids":["CWE-121"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05"},{"type":"WEB","url":"https://github.com/time-rs/time/releases/tag/v0.3.47"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25727.json"},{"type":"ADVISORY","url":"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25727"},{"type":"FIX","url":"https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/time-rs/time","events":[{"introduced":"3ff454351155515b4e4cc15fda8db46eec3ef706"},{"fixed":"d5144cd2874862d46466c900910cd8577d066019"}]}],"versions":["v0.3.10","v0.3.11","v0.3.12","v0.3.13","v0.3.14","v0.3.15","v0.3.16","v0.3.17","v0.3.18","v0.3.19","v0.3.20","v0.3.21","v0.3.22","v0.3.23","v0.3.24","v0.3.25","v0.3.26","v0.3.27","v0.3.28","v0.3.29","v0.3.30","v0.3.31","v0.3.32","v0.3.33","v0.3.34","v0.3.35","v0.3.36","v0.3.37","v0.3.38","v0.3.39","v0.3.40","v0.3.41","v0.3.42","v0.3.43","v0.3.44","v0.3.45","v0.3.46","v0.3.6","v0.3.7","v0.3.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-25727.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}