🦀 Two Cargo Bugs, One Big Lesson
Today’s issue: SQLx 0.9.0 Power Features, Astro Betting on Rust, and Why Rust Is Different
Happy new month Rustaceans!
In this issue, we’ll break down the two recent Cargo security disclosures, spotlight a project, and highlight 10 awesome links of the week.
Here’s issue 121.
MAIN NEWS
Two Cargo Bugs, One Big Lesson
This being the first issue of the month, we wish you a productive month ahead.
On the Rust side of things, last week we saw two advisories from the Rust Security Response Team. Released on May 25th with the fix landing in Rust v 1.96.0.
These Cargo vulnerabilities (CVE-2026-5223 and CVE-2026-5222) remind us that supply chain risks are still real especially when venturing beyond crates.io.
First, CVE-2026-5223 (Medium severity) exposes a symlink mishandling issue in how Cargo extracts crate tarballs from third-party registries.
Cargo has always tried hard to sandbox extractions within ~/.cargo, but a clever malicious tarball could drop files one directory level up, potentially overwriting another crate’s cached source from the same registry.
The good news? crates.io has always forbidden symlinks, so official registry users are untouched. The fix in 1.96.0 is clean and blunt: Cargo now rejects any symlinks in tarballs.
If you’re on older versions, audit your private registries aggressively. This one feels like the kind of edge case that emerges when you support flexible third-party hosting.
The second issue, CVE-2026-5222 (Low severity) is more niche but elegantly illustrates Cargo’s evolution pains.
It stems from legacy URL normalization behavior leaking into sparse index registries. Under very specific conditions multiple registries on the same domain, the attacker could trick Cargo into leaking your authentication token to a malicious registry.
Sparse indexes (stabilized in 1.68) brought huge performance wins, but this shows how protocol transitions can introduce subtle attack surfaces.
Both were reported by Christos Papakonstantinou (kudos for responsible disclosure), and fixed swiftly by the team.
The Rust ecosystem’s security posture is already elite compared to most languages, but these incidents highlight that third-party registries require extra vigilance.
I love Cargo’s reproducibility and caching, but that same power makes supply chain attacks tempting targets.
For production codebases and internal registries, enable strict checks, review tarball contents, and consider air-gapped or heavily validated mirrors if possible.
Make sure you upgrade to Rust 1.96.0 if you haven’t already.
PROJECT SPOTLIGHT 💡
Corrosion
Corrosion is a gossip-based service discovery for large distributed systems.
Corrosion gives every machine a local SQLite database. Changes gossip through the cluster using CR-SQLite for conflict-free resolution, Foca (SWIM) for membership, and QUIC for actually secure peer-to-peer comms.
What makes it seriously cool:
You just write normal SQL to read and write state. No weird custom APIs.
Drop new schemas in files and they apply on the fly.
HTTP streaming subscriptions based on SQL queries changes with no polling.
Rhai templates that turn your Corrosion state into real config files automatically.
Corrosion is open-source at https://github.com/superfly/corrosion.
AWESOME LINKS OF THE WEEK 🔗
Rust 1.96.0 is out with new Copy-friendly Range types, assert_matches! macros, WebAssembly fixes, and two Cargo security patches (more in the next issue). Walter Pearce (Rust Foundation Security Engineer) has been named to the inaugural OpenSSF Ambassador Program for his outstanding open source security work.
Sverre Bjørke jailbroke his Kindle, cross-compiled Rust + Slint for ARMv7, slaped a GUI on the e-ink screen and touch panel like a madlad.
Carl Kadi gave a talk at the Rust Seattle User Group on 9 Ways to Do Inheritance in Rust, which is a funny way of saying ‘we tried really hard not to have inheritance, but okay.’ [video]
SQLx 0.9.0 just got released. Major highlights include moving to the new transact-rs GitHub org, dropping Cargo.lock from the repo, adding smol + async-global-executor runtime support, and hardening query safety with the new SqlSafeStr trait.
Microsoft merged Windows Reactor, a React-style declarative UI library for WinUI 3 in Rust with hooks, components, and excellent performance.
Alice Ryhl joined The Pragmatic Engineer podcast to explain why Rust feels different from… well, everything else. Surprisingly engaging. Worth the watch. [video]
Melvyn, Kseniia, and Raul wrote how ClickHouse integrated Rust Delta Kernel to simplify Delta Lake support, enabling writes, time travel, schema evolution, and pruning while reducing maintenance.
Astro 6.4 shipped with Sätteri, a new fast Rust-powered Markdown processor with a fully pluggable pipeline. The Rustification of web tooling continues.
Rustls maintains top performance in Q1 2026 benchmarks against BoringSSL and OpenSSL, with exciting split-mode improvements coming in 0.24.
TokioConf 2026 videos are now available, and the next edition is scheduled for April 26-27, 2027 in Portland, OR.
CodeCrafters: Become a Better Rust Engineer
CodeCrafters created amazing Rust courses that push your skills beyond the basics.
You’ll have fun building real-world projects from scratch, including Git, Docker, Redis, Kafka, SQLite, Grep, BitTorrent, HTTP Server, an Interpreter, and DNS.
The courses are self-paced, so you can learn at your own speed.
Join for free and get 40% off when you upgrade. [affiliate]
X | BlueSky | Mastodon | GitHub | LinkedIn | Buy us coffee | hello@rustbytes.com
Stay safe wherever you are.
See you next week!
John & Elley.