Rust is a multi-paradigm programming language focused on performance and safety, especially safe concurrency.

Rust

The Candid library causes a Denial of Service while parsing a specially crafted payload with `empty` data type. For example, if the payload is `record { * ; empty }` and  the canister interface expects `record { * }` then the rust candid decoder treats `empty` as an extra field required by the type.  The problem with type `empty` is that the candid rust library wrongly categorizes `empty` as a recoverable error when skipping the field and thus causing an infinite decoding loop. 
Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister.
For asset canister users, `dfx` versions `>= 0.14.4` to `<= 0.15.2-beta.0` ships asset canister with an affected version of candid.
### Unaffected 
- Rust canisters using candid `< 0.9.0` or `>= 0.9.10` 
- Rust canister interfaces of type other than `record { * }`
- Motoko based canisters
- dfx (for asset canister) `<= 0.14.3` or `>= 0.15.2`
### References
-  [GitHub Security Advisory (GHSA-7787-p7x6-fq3j)](https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j)
-  [dfinity/candid/pull/478](https://github.com/dfinity/candid/pull/478)
-  [Candid Library Reference](https://internetcomputer.org/docs/current/references/candid-ref)
-  [Candid Specification](https://github.com/dfinity/candid/blob/master/spec/Candid.md)
-  [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22698	HIGH	8.7	Rust	sm2	No	No	Jan 10, 2026
CVE-2026-22700	HIGH	7.5	Rust	sm2	No	No	Jan 10, 2026
CVE-2026-22699	HIGH	7.5	Rust	sm2	No	No	Jan 10, 2026
CVE-2026-22705	MEDIUM	6.4	Rust	ml-dsa	No	Yes	Jan 10, 2026
CVE-2025-15504	MEDIUM	4.8	Python	lief	No	Yes	Jan 10, 2026

RUSTSEC-2023-0073:
Rust vulnerability analysis and mitigation

Overview

Technical details

Mitigation and workarounds

Additional resources

7.5

Related Rust vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

RUSTSEC-2023-0073: Rust vulnerability analysis and mitigation