{"ecosystem":"cargo","package":"time","version":null,"bugs":[{"id":892,"ecosystem":"cargo","package_name":"time","affected_version":"0.3.6","fixed_version":"0.3.47","bug_id":"osv:RUSTSEC-2026-0009","title":"Denial of Service via Stack Exhaustion","description":"## Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a denial of\nservice attack via stack exhaustion is possible. The attack relies on formally deprecated and\nrarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,\nnon-malicious input will never encounter this scenario.\n\n## Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned\nrather than exhausting the stack.\n\n## Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of\nthe stack consumed would be at most a factor of the length of the input.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/time","labels":["CVE-2026-25727","GHSA-r6v5-fh4h-64xc"],"created_at":"2026-04-19T04:32:05.418785+00:00","updated_at":"2026-04-19T04:32:05.418785+00:00"},{"id":891,"ecosystem":"cargo","package_name":"time","affected_version":"0.2.7-0","fixed_version":"0.2.23","bug_id":"osv:RUSTSEC-2020-0071","title":"Potential segfault in the time crate","description":"### Impact\n\nThe affected functions set environment variables without synchronization. On Unix-like operating systems, this can crash in multithreaded programs. Programs may segfault due to dereferencing a dangling pointer if an environment variable is read in a different thread than the affected functions. This may occur without the user's knowledge, notably in the Rust standard library or third-party libraries.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `time::at_utc`\n- `time::at`\n- `time::now`\n- `time::tzset`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`:  \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline:  \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources:  \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249)  \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/time","labels":["CVE-2020-26235","GHSA-wcg3-cvx6-7396"],"created_at":"2026-04-19T04:32:05.418236+00:00","updated_at":"2026-04-19T04:32:05.418236+00:00"},{"id":890,"ecosystem":"cargo","package_name":"time","affected_version":"0.1.0","fixed_version":"0.2.23","bug_id":"osv:GHSA-wcg3-cvx6-7396","title":"Segmentation fault in time","description":"### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396","labels":["CVE-2020-26235","RUSTSEC-2020-0071"],"created_at":"2026-04-19T04:32:05.417597+00:00","updated_at":"2026-04-19T04:32:05.417597+00:00"},{"id":889,"ecosystem":"cargo","package_name":"time","affected_version":"0.3.6","fixed_version":"0.3.47","bug_id":"osv:GHSA-r6v5-fh4h-64xc","title":"time vulnerable to stack exhaustion Denial of Service attack","description":"### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.\n\nAlternatively, avoiding the format altogether would also ensure that the vulnerability is not encountered. To do this, add\n\n```toml\ndisallowed-types = [\"time::format_description::well_known::Rfc2822\"]\n```\n\nto your `clippy.toml` file. This will trigger the `clippy::disallowed_types` lint, which is warn-by-default and can be explicitly denied.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc","labels":["CVE-2026-25727","RUSTSEC-2026-0009"],"created_at":"2026-04-19T04:32:05.416503+00:00","updated_at":"2026-04-19T04:32:05.416503+00:00"}],"total":4,"_cache":"miss"}