CVE-2026-25727Stack-based Buffer Overflow in Project Time

CWE-121Stack-based Buffer OverflowCWE-770Allocation of Resources Without Limits or Throttling10 documents8 sources
Severity
6.8MEDIUMNVD
EPSS
0.0%
top 96.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Time Project TimeTime-rs Time
Timeline
PublishedFeb 6
Latest updateFeb 9

Description

time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an er

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages3 packages

NVDtime_project/time0.3.60.3.47
crates.iotime_project/time0.3.60.3.47
CVEListV5time-rs/time>= 0.3.6, < 0.3.47

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
CVE-2026-25727: time provides date and time handling in Rust2026-02-06
CVEList
time affected by a stack exhaustion denial of service attack2026-02-06
OSV
time vulnerable to stack exhaustion Denial of Service attack2026-02-05
OSV
Denial of Service via Stack Exhaustion2026-02-05
GHSA
time vulnerable to stack exhaustion Denial of Service attack2026-02-05

📋Vendor Advisories

2
Red Hat
time: time affected by a stack exhaustion denial of service attack2026-02-06
Debian
CVE-2026-25727: rust-time - time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25727 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-25727 fido-device-onboard: time affected by a stack exhaustion denial of service attack [fedora-43]2026-02-09
CVE-2026-25727 — Stack-based Buffer Overflow | cvebase