ByteBrief
We're a portrait publication through and through. Turn your phone back and your briefing picks up right where you left it.
(We tried widescreen once. It wasn't us.)
Cargo mishandles symlinks in crate tarballs from third-party registries, allowing a malicious crate to overwrite another crate's cached source code. The vulnerability, CVE-2026-5223, affects all Cargo versions before Rust 1.96.0. crates.io users are unaffected because that registry forbids symlinks. Rust 1.96.0, releasing May 28th 2026, will block all symlink extraction.
Tap to vote and see what everyone thinks.
Summary by ByteBrief