1141 matches found
Integer overflow in the bundled Brotli C library
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. If one cannot update the C library, its...
AtomicBox<T> lacks bound on its Send and Sync traits allowing data races
AtomicBox is a Box type designed to be used across threads, however, it implements the Send and Sync traits for all types T. This allows non-Send types such as Rc and non-Sync types such as Cell to be used across thread boundaries which can trigger undefined behavior and memory corruption...
Compiler optimisation for next_with_timeout in pnet::transport::IcmpTransportChannelIterator flaws to SEGFAULT
Affected versions of this crate were optimized out by compiler, which caused dereference of uninitialized file descriptor which caused segfault...
Out-of-bounds array access leads to panic
Affected versions of the crate have a bug where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the use of the out-of-bound index and causes the application to panic. An attacker may be able to use this to cause a denial-of-service. However, it is not...
Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`
Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. Any combination was considered valid. This allows an attacker to republish an existing PeerRecord with a different PeerId...
`OCSP_basic_verify` may incorrectly verify the response signing certificate
The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...
Unexpected panic in multihash `from_slice` parsing code
In versions prior 0.11.3 it's possible to make fromslice panic by feeding it certain malformed input. It's never documented that fromslice and frombytes which wraps it can panic, and its' return type Result suggests otherwise. In practice, fromslice/frombytes is frequently used in networking code...
DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport
dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header,...
Timing attack
Affecting versions did not compare tokens in constant time, which could make it possible for an attacker to guess the 2fa token of a user. This has been fixed by using using the crate constanttimeeq for comparison...
Task dropped in wrong thread when aborting `LocalSet` task
When aborting a task with JoinHandle::abort, the future is dropped in the thread calling abort if the task is not currently being executed. This is incorrect for tasks spawned on a LocalSet. This can easily result in race conditions as many projects use Rc or RefCell in their Tokio tasks for bett...
misc::vec_with_size() can drop uninitialized memory if clone panics
misc::vecwithsize creates a vector of the provided size and immediately calls vec.setlensize on it, initially filling it with uninitialized memory. It then inserts elements using veci = value.clone. If the value.clone call panics, uninitialized items in the vector will be dropped leading to...
Future<T> lacks bounds on Send and Sync.
tinyfuture contains a light-weight implementation of Futures. The Future type it has lacked bound on its Send and Sync traits. This allows for a bug where non-thread safe types such as Cell can be used in Futures and cause data races in concurrent programs. The flaw was corrected in commit c79191...
ordered_float:NotNan may contain NaN after panic in assignment operators
After using an assignment operators such as NotNan::addassign, NotNan::mulassign, etc., it was possible for the resulting NotNan value to contain a NaN. This could cause undefined behavior in safe code, because the safe NotNan::cmp method contains internal unsafe code that assumes the value is...
Potential segfault in the time crate
Impact The affected functions set environment variables without synchronization. On Unix-like operating systems, this can crash in multithreaded programs. Programs may segfault due to dereferencing a dangling pointer if an environment variable is read in a different thread than the affected...
Format string vulnerabilities in `pancurses`
pancurses::mvprintw and pancurses::printw passes a pointer from a rust &str to C, allowing hostile input to execute a format string attack, which trivially allows writing arbitrary data to stack memory...
Bincode is unmaintained
Due to a doxxing and harassment incident, the bincode team has taken the decision to cease development permanently. The team considers version 1.3.3 a complete version of bincode that is not in need of any updates. Alternatives to consider wincode postcard bitcode rkyv...
Ouroboros is Unsound
Summary Ouroboros has a soundness problem, but a fix has been implemented in 0.16.0. More details: In 0.15.0, Ouroboros works internally by creating a struct where all uses of 'this are replaced by 'static. However, a recent addition to Miri checks that references passed to functions are valid...
`tauri`'s `readDir` endpoint allows possible enumeration outside of filesystem scope
It is possible for readDir to incorrectly enumerate files from a symlinked directory if called recursively when specifying an empty string for the dir parameter as outlined in this issue. This is corrected in this PR by checking if a directory is a symlink before reading from it...
Converting `NSString` to a String Truncates at Null Bytes
Methods of NSString for conversion to a string may return a partial result. Since they call CStr::fromptr on a pointer to the string buffer, the string is terminated at the first null byte, which might not be the end of the string. In addition to the vulnerable functions listed for this issue, th...
Some lock_api lock guard objects can cause data races
Affected versions of lockapi had unsound implementations of the Send or Sync traits for some guard objects, namely: MappedMutexGuard MappedRwLockReadGuard MappedRwLockWriteGuard RwLockReadGuard RwLockWriteGuard These guards could allow data races through types that are not safe to Send across...
Bad-free in `MetaCallException::new`
exceptionstruct is a local stack variable, but the code passes its address to the C language as &mut exceptionstruct as mut as mut cvoid. Then, the returned MetaCallException value is stored here: rust OkSelf exceptionstruct: Arc::newexceptionstruct, value: exceptionptr, leak: false, Because leak...
Conversion from `prost_types::Timestamp` to `SystemTime` can cause an overflow and panic
Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime. It is recommended to upgrade to prost-types v0.8 and switch the usage of From for SystemTime to TryFrom for SystemTime. See 438 for more informatio...
Archives may contain uninitialized memory
rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels...
Internally mutating methods take immutable ref self
Affected versions of this crate exposed several methods which took self by immutable reference, despite the requesting the RenderDoc API to set a mutable value internally. This is technically unsound and calling these methods from multiple threads without synchronization could lead to unexpected...
Use after free in CMS Signing
Affected versions of the OpenSSL crate used structures after they'd been freed...
Panic when lifting `flags` component value
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq For more information see the GitHub-hosted security advisory...
Rand is unsound with a custom logger using `rand::rng()`
It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...
Use after free with `externref`s and epoch interruption in Wasmtime
Use after free with externrefs and epoch interruption in Wasmtime...
Incorrect handling of embedded SVG and MathML leads to mutation XSS
Affected versions of this crate did not account for namespace-related parsing differences between HTML, SVG, and MathML. Even if the svg and math elements are not allowed, the underlying HTML parser still treats them differently. Running cleanup without accounting for these differing namespaces...
StackVec::extend can write out of bounds when size_hint is incorrect
StackVec::extend used the lower and upper bounds from an Iterator's sizehint to determine how many items to push into the stack based vector. If the sizehint implementation returned a lower bound that was larger than the upper bound, StackVec would write out of bounds and overwrite memory on the...
Use-after-free in `subscript_next` and `subscript_prev` wrappers
Affected versions of this crate had an unsound implementation which could pass a pointer to freed memory to ydbsubscriptnextst and ydbsubscriptprevst if the variable and subscripts did not have enough memory allocated on the first call to hold the next variable in the database. For example, the...
conquer-once's OnceCell lacks Send bound for its Sync trait.
Affected versions of conquer-once implements Sync for its OnceCell type without restricting it to Sendable types. This allows non-Send but Sync types such as MutexGuard to be sent across threads leading to undefined behavior and memory corruption in concurrent programs. The issue was fixed by...
Flaw in `realloc` allows reading unknown memory
When reallocing, if we allocate new space, we need to copy the old allocation's bytes into the new space. There are oldsize number of bytes in the old allocation, but we were accidentally copying newsize number of bytes, which could lead to copying bytes into the realloc'd space from past the chu...
Improper `Sync` implementation on `FuturesUnordered` in futures-utils can cause data corruption
Affected versions of the crate had an unsound Sync implementation on the FuturesUnordered structure, which used a Cell for interior mutability without any code to handle synchronized access to the underlying task list's length and head safely. This could of lead to data corruption since two threa...
ChaCha20 counter overflow can expose repetitions in the keystream
The ChaCha20 stream cipher can produce a maximum of 2^32 blocks 256GB before the 32-bit counter overflows. Releases of the chacha20 crate prior to v0.2.3 allow generating keystreams larger than this, including seeking past the limit. When this occurs, the keystream is duplicated, with failure mod...
surf is unmaintained
The surf crate is unmaintained, and all versions are affected. For alternatives, consider using reqwest or ureq. See this issue for more context...
evm incorrect state transition
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the isstatic parameter to determine if the call is executed in a static context via STATICCALL, and thus decide if stateful operations should be done. Prior to version 0.36.0, th...
Slack Webhooks secrets leak in debug logs
Debug log formatting made it possible to leak Webhooks secrets into debug logs. The patched version has introduced more strict checks to avoid this...
Data race in `Iter` and `IterMut`
In the affected version of this crate, Iter, IterMut::next used a weaker memory ordering when loading values than what was required, exposing a potential data race when iterating over a ThreadLocal's values. Crates using Iter::next, or IterMut::next are affected by this issue...
Tape::take_bytes exposes uninitialized memory to a user-provided Read
Affected versions of this crate passed an unininitialized buffer to a user-provided Read instance in Tape::takebytes. This can result in safe Read implementations reading from the uninitialized buffer leading to undefined behavior. The flaw was corrected in commit 1f2dc7f37dd by removing the unsa...
panic safety issue in `impl TransformContent<S, D> for [S; (2|3|4)]`
Affected versions of this crate did not guard against double drop while temporarily duplicating objects' ownership using ptr::read. Upon panic in a user-provided function conversion, objects that are copied by ptr::read are dropped twice, leading to memory corruption. The flaw was corrected in...
Cache<K>: Send/Sync impls needs trait bounds on `K`
Affected versions of this crate unconditionally implement Send/Sync for Cache. This allows users to insert K that is not Send or not Sync. This allows users to create data races by using non-Send types like Arc or Rc as K in Cache. It is also possible to create data races by using types like Cell...
AtomicBox<T> implements Send/Sync for any `T: Sized`
Affected versions of this crate implements Send/Sync for AtomicBox without requiring T: Send/T: Sync. This allows to create data races to T: !Sync and send T: !Send to another thread. Such behavior breaks the compile-time thread safety guarantees of Rust, and allows users to incur undefined...
AtomicOption should have Send + Sync bound on its type argument.
In the affected versions of this crate, AtomicOption unconditionally implements Sync. This allows programmers to move non-Sync types across thread boundaries e.g. Rc, Arc, which can lead to data races and undefined behavior. It is also possible to send non-Send types like std::sync::MutexGuard to...
Misbehaving `HandleLike` implementation can lead to memory safety violation
Unsafe code in ObjectPool has time-of-check to time-of-use TOCTOU bug that can eventually lead to a memory safety violation. ObjectPool and HandlePool implicitly assumes that HandleLike trait methods are pure, i.e., they always return the same value. However, this assumption is unsound since...
Contents of uninitialized memory exposed in DeflateOutput's AsyncRead implementation
Affected versions of this crate passes an uninitialized buffer to a user-provided trait function AsyncRead::pollread. Arbitrary AsyncRead::pollread implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading...
SSL/TLS MitM vulnerability due to insecure defaults
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks...
`pretty-changelog-logger` was removed from crates.io for malicious code
pretty-changelog-logger contains a build script build.rs that acts as a loader/dropper for malicious payloads. The malicious crate had 3 versions published on 2026-04-08 that had a total of 2239 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecti...
memoffset allows reading uninitialized memory
memoffset allows attempt of reading data from address 0 with arbitrary type. This behavior is an undefined behavior because address 0 to std::mem::sizeof may not have valid bit-pattern with T. Old implementation dereferences uninitialized memory obtained from std::mem::alignof. Older implementati...
`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference
These functions would crash when the context argument was None with certain extension types. Thanks to David Benjamin Google for reporting this issue...