1141 matches found
buf_redux is Unmaintained
Last release was over three years ago. The maintainers have been unreachable to respond to any issues that may or may not include security issues. The repository is now archived and there is no security policy in place to contact the maintainers otherwise. The safety-undocumented unsafe in the...
Bug in Wasmtime implementation of pooling instance allocator
Bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-required configuration...
matrix-sdk Impersonation of room keys
When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack...
Denial of service on deeply nested fragment requests
Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...
Panic due to improper UTF-8 indexing
When parsing untrusted rulex expressions, rulex may panic, possibly enabling a Denial of Service attack. This happens when the expression contains a multi- byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result. The...
Data race when sending and receiving after closing a `oneshot` channel
If a tokio::sync::oneshot channel is closed via the oneshot::Receiver::close method, a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling tryrecv. When these methods are called concurrently on a closed channel, the two...
Data race in crossbeam-deque
In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this stil...
`through` and `through_and` causes a double free if the map function panics
through and throughand take a mutable reference as well as a mapping function to change the provided reference. They do this by calling ptr::read on the reference which duplicates ownership and then calling the mapping function. If the mapping function panics, both the original object and the one...
`nb-connect` invalidly assumes the memory layout of std::net::SocketAddr
The nb-connect crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about...
Double drop upon panic in 'fn map_array()'
Affected versions of this crate did not guard against panic within the user-provided function f 2nd parameter of fn maparray, and thus panic within f causes double drop of a single object. The flaw was corrected in the 0.4.0 release by wrapping the object vulnerable to a double drop within...
`Read` on uninitialized buffer in `fill_buf()` and `read_up_to()`
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
Bunch<T> unconditionally implements Send/Sync
Affected versions of this crate unconditionally implements Send/Sync for Bunch. This allows users to insert T: !Sync to Bunch. It is possible to create a data race to a T: !Sync by invoking the Bunch::get API which returns &T from multiple threads. It is also possible to send T: !Send to other...
futures_task::noop_waker_ref can segfault due to dereferencing a NULL pointer
Affected versions of the crate used a UnsafeCell in thread-local storage to return a noop waker reference, assuming that the reference would never be returned from another thread. This resulted in a segmentation fault crash if Waker::wakebyref was called on a waker returned from another thread du...
Relies on undefined behavior of `char::from_u32_unchecked`
The Windows implementation of this crate relied on the behavior of std::char::fromu32unchecked when its safety clause is violated. Even though this worked with Rust versions up to 1.42 at least, that behavior could change with any new Rust version, possibly leading a security issue. The flaw was...
Flaw in hyper allows request smuggling by sending a body in GET requests
Vulnerable versions of hyper allow GET requests to have bodies, even if there is no Transfer-Encoding or Content-Length header. As per the HTTP 1.1 specification, such requests do not have bodies, so the body will be interpreted as a separate HTTP request. This allows an attacker who can control...
Lifetime boundary for `raw_slice` and `raw_slice_mut` are incorrect
The affected version of rulinalg has incorrect lifetime boundary definitions for RowMut::rawslice and RowMut::rawslicemut. They do not conform with Rust's borrowing rule and allows the user to create multiple mutable references to the same location. This may result in unexpected calculation resul...
bespoke Cell implementation allows obtaining several mutable references to the same data
The custom implementation of a Cell primitive in the affected versions of this crate does not keep track of mutable references to the underlying data. This allows obtaining several mutable references to the same object which may result in arbitrary memory corruption, most likely use-after-free. T...
Large cookie Max-Age values can cause a denial of service
Affected versions of this crate use the time crate and the method Duration::seconds to parse the Max-Age duration cookie setting. This method will panic if the value is greater than 2^64/1000 and less than or equal to 2^64, which can result in denial of service for a client or server. This flaw w...
Potential Panic on Overlong Ciphertext Buffer
An application that passes in a ciphertext buffer of length greater than ptxt.len + TAGLEN to libcruxchacha20poly1305::encrypt or libcruxchacha20poly1305::xchacha20poly1305::encrypt would experience a panic. Impact An application where the length of the ciphertext buffer is under attacker control...
tar-rs incorrectly ignores PAX size headers if header size is nonzero
Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518astral-cve, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the...
Stack overflow during recursive expression parsing
When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. The flaw was corrected in commits 60aa2dc03a by adding a check ...
Potential unaligned read
On windows, atty dereferences a potentially unaligned pointer. In practice however, the pointer won't be unaligned unless a custom global allocator is used. In particular, the System allocator on windows uses HeapAlloc, which guarantees a large enough alignment. atty is Unmaintained A Pull Reques...
Multiple functions can cause double-frees
The following functions in the crate are affected: IdMap::clonefrom The clonefrom implementation for IdMap drops the values present in the map and then begins cloning values from the other map. If a .clone call pancics, then the afformentioned dropped elements can be freed again. getorinsert...
Use after free possible in `uri::Formatter` on panic
Affected versions of this crate transmuted a &str to a &'static str before pushing it into a StackVec, this value was then popped later in the same function. This was assumed to be safe because the reference would be valid while the method's stack was active. In between the push and the pop,...
KeyValueReader passes uninitialized memory to Read instance
The KeyValueReader type in affected versions of this crate set up an uninitialized memory buffer and passed them to be read in to a user-provided Read instance. The Read instance could read uninitialized memory and cause undefined behavior and miscompilations. This issue was fixed in commit dd59b...
`Read` on uninitialized buffer may cause UB (`impl Walue for Vec<u8>`)
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...
Record::read : Custom `Read` on uninitialized buffer may cause UB
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Record::read Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized...
Thex<T> allows data races of non-Send types across threads
thex::Thex implements Sync for all types T. However, it is missing a bound for T: Send. This allows non-Send types such as Rc to be sent across thread boundaries which can trigger undefined behavior and memory corruption...
VecCopy allows misaligned access to elements
VecCopy::data is created as a Vec of u8 but can be used to store and retrieve elements of different types leading to misaligned access. The issue was resolved in v0.5.0 by replacing data being stored by Vec with a custom managed pointer. Elements are now stored and retrieved using types with prop...
Obstack generates unaligned references
Obstack generates unaligned references for types that require a large alignment...
failure is officially deprecated/unmaintained
The failure crate is officially end-of-life: it has been marked as deprecated by the former maintainer, who has announced that there will be no updates or maintenance work on it going forward. The following are some suggested actively developed alternatives to switch to: - anyhow - eyre - fehler ...
Parsing a specially crafted message can result in a stack overflow
Affected versions of this crate contained a bug in which decoding untrusted input could overflow the stack. On architectures with stack probes like x86, this can be used for denial of service attacks, while on architectures without stack probes like ARM overflowing the stack is unsound and can...
Type confusion if __private_get_type_id__ is overridden
Safe Rust code can implement malfunctioning privategettypeid and cause type confusion when downcasting, which is an undefined behavior. Users who derive Fail trait are not affected...
scalarmult() vulnerable to degenerate public keys
The scalarmult function included in previous versions of this crate accepted all-zero public keys, for which the resulting Diffie-Hellman shared secret will always be zero regardless of the private key used. This issue was fixed by checking for this class of keys and rejecting them if they are us...
Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly
The Assembler component that assembles unordered stream fragments into consecutive chunks of the stream incurs some overhead for non-contiguous fragments. Readers that read from a RecvStream in order through an AsyncRead impl for example will be sensitive to peers that send fragments while leavin...
`pqcrypto` is unmaintained: upstream PQClean project being archived
The pqcrypto crate and the entire pqcrypto- ecosystem wrap C implementations from PQClean. The PQClean project is being archived in or after July 2026 see PQClean/PQClean604, after which no further security patches, algorithm updates, or bug fixes will be applied to the upstream implementations. ...
`safe-agent-rs` was removed from crates.io for being affiliated with malicious code
While safe-agent-rs did not directly contain malicious code, it was owned by the same user as pretty-changelog-logger and microsoftsystem64. safe-agent-rs also appeared to be imitating a different websocket library. We decided to remove it out of an abundance of caution. This crate had 2 versions...
Parsing borsh messages with ZST which are not-copy/clone is unsound
Affected versions of borsh cause undefined behavior when zero-sized-types ZST are parsed and the Copy/Clone traits are not implemented/derived. For instance if 1000 instances of a ZST are deserialized, and the ZST is not copy this can be achieved through a singleton, then accessing/writing to...
Incorrect Lifetime Bounds on Closures in `rusqlite`
The lifetime bound on several closure-accepting rusqlite functions specifically, functions which register a callback to be later invoked by SQLite was too relaxed. If a closure referencing borrowed values on the stack is was passed to one of these functions, it could allow Rust code to access...
sodiumoxide is deprecated
Alternatives may be found - not in any specific order: - libsodium-sys-stable - dryoc - RustCrypto/nacl-compat cryptobox, cryptokx, cryptosecretstream - RustCrypto/xsalsa20poly1305 cryptosecretbox - Signatory - ed25519-compact - ed25519-dalek - ring Recommendations can be also found from: - Aweso...
Uncontrolled Search Path Element in sharkdp/bat
bat on windows before 0.18.2 executes programs named less.exe from the current working directory. This can lead to unintended code execution...
`grep-cli` may run arbitrary executables on Windows
On Windows in versions of grep-cli prior to 0.1.6, it's possible for some of the routines to execute arbitrary executables. In particular, a quirk of the Windows process execution API is that it will automatically consider the current directory before other directories when resolving relative...
Deserializing an array can drop uninitialized memory on panic
The readbytesdefaultle function for T; n arrays, used to deserialize arrays of T from bytes created a T; n array with std::mem::uninitialized and then called T's deserialization method. If T's deserialization method panicked, the uninitialized memory could drop invalid objects. This flaw was...
swap_index can write out of bounds and return uninitialized memory
swapindex takes an iterator and swaps the items with their corresponding indexes. It reserves capacity and sets the length of the vector based on the .len method of the iterator. If the len returned by the iterator is larger than the actual number of elements yielded, then swapindex creates a...
Incorrect check on buffer length when seeding RNGs
Summary: randcore::le::readu32into and readu64into have incorrect checks on the source buffer length, allowing the destination buffer to be under-filled. Implications: some downstream RNGs, including Hc128Rng but not the more widely used ChaChaRng, allow seeding using the SeedableRng::fromseed...
Soundness issues in `raw-cpuid`
Undefined behavior in asstring methods VendorInfo::asstring, SoCVendorBrand::asstring, and ExtendedFunctionInfo::processorbrandstring construct byte slices using std::slice::fromrawparts, with data coming from reprRust structs. This is always undefined behavior. See...
QueryInterface should call AddRef before returning pointer
Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the IUnknown::QueryInterface method. QueryInterface implementation must call IUnknown::AddRef before returning the pointer, as describe in this documentation: As it is not incrementing...
Update unsound DrainFilter and RString::retain
Affected versions of this crate contained code from the Rust standard library that contained soundness bugs rust-lang/rust60977 double drop & rust-lang/rust78498 create invalid utf-8 string. The flaw was corrected in v0.9.1 by making a similar fix to the one made in the Rust standard library...
SyncRef's clone() and debug() allow data races
Affected versions of this crate unconditionally implement Sync for SyncRef. This definition allows data races if &T is accessible through &SyncRef. SyncRef derives Clone and Debug, and the default implementations of those traits access &T by invoking T::clone & T::fmt. It is possible to create da...
ImageChunkMut needs bounds on its Send and Sync traits
In the affected versions of this crate, ImageChunkMut unconditionally implements Send and Sync, allowing to create data races. This can result in a memory corruption or undefined behavior when non thread-safe types are moved and referenced across thread boundaries. The flaw was corrected in commi...