Bug 2437727 (CVE-2026-25727) - CVE-2026-25727 time: time affected by a stack exhaustion denial of service attack
Summary: CVE-2026-25727 time: time affected by a stack exhaustion denial of service at...
Keywords:
Status: NEW
Alias: CVE-2026-25727
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2438031 2438034 2438035 2438037 2438038 2438042 2438044 2438047 2438048 2438049 2438050 2438051 2438052 2438053 2438054 2438055 2438056 2438057 2438058 2438059 2438060 2438061 2438062 2438063 2438064 2438065 2438066 2438067 2438068 2438069 2438071 2438072 2438073 2438074 2438076 2438078 2438079 2438081 2438082 2438084 2438089 2438092 2438094 2438095 2438096 2438099 2438101 2438105 2438106 2438107 2438108 2438109 2438110 2438111 2438113 2438114 2438115 2438116 2438117 2438118 2438119 2438120 2438121 2438122 2438123 2438124 2438125 2438126 2438127 2438128 2438129 2438131 2438132 2438133 2438134 2438136 2438139 2438140 2438143 2438144 2438147 2438159 2438161 2438162 2438163 2438166 2438168 2438032 2438033 2438036 2438039 2438040 2438041 2438043 2438045 2438046 2438070 2438075 2438077 2438080 2438083 2438085 2438086 2438087 2438088 2438090 2438091 2438093 2438097 2438098 2438100 2438102 2438103 2438104 2438130 2438135 2438137 2438138 2438141 2438142 2438145 2438146 2438148 2438149 2438150 2438152 2438154 2438156 2438158 2438160 2438164 2438165 2438167 2438169
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-09 11:02 UTC by OSIDB Bzimport
Modified: 2026-02-09 19:01 UTC (History)
57 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-09 11:02:33 UTC 
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.
Note You need to log in before you can comment on or make changes to this bug.