Lucene search
K
RustsecRecent

1141 matches found

RustSec
RustSec
•added 2026/05/21 12:0 p.m.•19 views

WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-2r75-cxrj-cmph For more information see the GitHub-hosted security advisory...

7.5CVSS5.8AI score0.00357EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/18 12:0 p.m.•18 views

PAX Header Desynchronization in astral-tokio-tar

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/16 12:0 p.m.•13 views

Read-only volume remount bypass via guest CAP_SYS_ADMIN

Affected versions of boxlite mount host directories shared via virtiofs as guest-side read-only by setting MSRDONLY from the guest. Because the default guest capability set included CAPSYSADMIN, untrusted code running inside a sandbox could execute mount -o remount,rw to re-flag the share as...

10CVSS5.9AI score0.00289EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/16 12:0 p.m.•15 views

OCI layer symlink escape → arbitrary host write

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path e.g. escape - /tmp followed by a file entry that resolves through that symlink e.g...

9.6CVSS5.8AI score0.00482EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/15 12:0 p.m.•15 views

Unbounded 32-bit allocation

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame. A malicious peer could advertise an oversized frame length, causing the client or server t...

7.5CVSS5.9AI score0.00263EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/15 12:0 p.m.•16 views

Unchecked `CryptoVec` allocation and growth handling

CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation and locking paths. In affected russh releases, attacker-controlled input could reach these code paths through buffer resizing operations. Two affected reachability paths were identified: Current russh...

7.5CVSS6.2AI score0.00263EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/14 12:0 p.m.•12 views

Double-free in `vmem` storage reachable from safe Rust (predecessor of `oneringbuf`)

mutringbuf is the archived predecessor of oneringbuf — the crate was renamed and the GitHub repository was archived on 2025-11-20. All released versions up to 1.0.0 carry the same vmem-feature double-free bug that affects oneringbuf, with the same code paths and the same reproduction shape. When...

5.9AI score
Exploits0
RustSec
RustSec
•added 2026/05/14 12:0 p.m.•17 views

TLS hostname verification disabled when using Boring TLS backend

An inverted-boolean bug in lettre's boring-tls integration silently disables TLS hostname verification for callers using the default strict configuration. An on-path attacker presenting any chain-valid certificate for any domain can intercept SMTP submission, including PLAIN/LOGIN credentials and...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/14 12:0 p.m.•12 views

Double-free in `vmem` storage reachable from safe Rust

When the vmem feature is enabled, VmemStorage::newBox and every public constructor that funnels through it — ConcurrentHeapRB::defaultcap, ConcurrentHeapRB::fromVec, From, etc. bit-copies the input buffer into a freshly mmap'd region with ptr::copynonoverlapping, then lets the source Box drop...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/13 12:0 p.m.•9 views

Potential undefined behavior with Signature from a buffer-created BlameHunk

When a Blame is created via Blame::blamebuffer, and a BlameHunk is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding BlameHunk methods then create Signatures based on null pointers; attempting to...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/12 12:0 p.m.•9 views

Potential undefined behavior when calling Remote::list()

When calling Remote::list for a remote of a git repository, when that remote does not advertise any references, git2 passes a null pointer to the unsafe function slice::fromrawparts. Based on the safety section documentation of function, data must be non-null even for slices of length zero. Thus,...

5.3AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/12 12:0 p.m.•31 views

DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport

dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header,...

8.8CVSS5.8AI score0.00213EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/08 12:0 p.m.•19 views

`InterfaceAccount` allows account substitution between unexpected types

Affected versions of anchor-lang allowed InterfaceAccount to accept accounts with an unexpected Anchor discriminator. A change to InterfaceAccount caused checked deserialization to be bypassed for this account wrapper, so validation proved only that the account owner matched one of the accepted...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/07 12:0 p.m.•10 views

`Program<System>` accepts arbitrary executable programs

Affected versions of anchor-lang did not properly validate accounts declared as Program. The generic Program validation path used Pubkey::default as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program was treated...

8.2CVSS5.8AI score0.00246EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/05 12:0 p.m.•10 views

Denial of service in Steamworks game clients/servers using P2P authentication

Processing the raw ValidateAuthTicketResponset callback data panics when the meAuthSessionResponse field is kEAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the beginauthenticationsession API to authenticate players if a...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/05 12:0 p.m.•10 views

Signature Verification on AVX2 Platforms Mishandles Edge Case

The AVX2 implementation of ML-DSA verification incorrectly implemented the usehint function, mishandling an edge case that should lead to signature rejection. Impact An attacker could make the ML-DSA verifier accept a crafted invalid signature under a maliciously generated verification key, if th...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•8 views

Double-free and use-after-free in `Keys::next()`

Keys::next uses ptr::read to move out the Option by value, which drops the contained V when V is non-Copy e.g. String. This leaves a dangling value in the map's storage slot. Subsequent get operations on that key return a dangling reference to already-freed memory. This can be triggered through...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•10 views

Double-free in `Chomp::inner()`

Chomp::inner uses std::ptr::readunaligned to move out the value from a raw pointer. If the original value is an owned type e.g. Box, calling inner moves out the ownership, but the original variable will still be dropped at the end of its scope. This causes the same heap memory to be freed twice,...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•12 views

Null-pointer dereference and double-free via safe APIs

Two soundness violations exist in the Rust bindings for MetaCall: Null-pointer dereference: MetaCallFuture::newraw accepts a raw pointer without validation. The Debug impl calls Box::fromrawself.data on it. Passing a null pointer causes the Debug impl to construct a NonNull from null, producing...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•13 views

Potential out-of-bounds write via public `Context` fields

The Context struct has all fields public pub dlen, pub digest, etc.. Code from other modules within the same crate can directly modify dlen to a value exceeding the digest vector length. When reset is subsequently called, self.digestself.dlen as usize = 0 becomes an out-of-bounds write. Withdrawa...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•10 views

Buffer overflow in `Clusterings::from_i32_column_major_order()`

The fromi32columnmajororder method can create inconsistent internal state. When labels length and nitems mismatch, nclusterings becomes labels.len / nitems truncated, but subsequent calls to label use indices that exceed the internal data bounds, causing a buffer overflow. For example,...

6AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•16 views

Integer overflow in `array::ReadWrite::new()` leading to potential memory corruption

In array::ReadWrite::new line 83 of accessor/src/array.rs, let bytes = mem::sizeof:: len can overflow usize when len is very large. In release mode, this silently wraps, potentially making bytes = 0. The mapper then maps with 0 bytes, and subsequent accesses e.g. readvolatileat lead to undefined...

5.9AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•11 views

Out-of-bounds read/write in `Index` and `IndexMut` implementations

The Index and IndexMut implementations for Caja use unchecked pointer arithmetic without bounds validation. Creating a Caja with a small key and then accessing an out-of-range index causes out-of-bounds reads or writes beyond the allocated memory. This can be triggered through safe public APIs —...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•12 views

Invalid pointer arithmetic in `iter()` and `iter_mut()`

The iter and itermut APIs compute current = &children0 as const const RawAutoChild.sub1, which performs pointer subtraction going before the start of the allocation. This is undefined behavior per Rust's pointer arithmetic rules. This can be triggered through safe public APIs — iter and itermut —...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/05/02 12:0 p.m.•13 views

Out-of-bounds read in `bytes_helper` public safe functions

The byteshelper module contains multiple public functions intoarr4, intoarr2, u8fromlebytes that use slice.getuncheckedpos..pos + N without verifying that pos + N = slice.len. These are public safe API functions, allowing any caller to trigger undefined behavior by passing invalid positions. For...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•6 views

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

The NSEC3 closest-encloser proof validation in hickory-proto's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the S...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•12 views

CPU exhaustion during message encoding due to O(n²) name compression

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec. The name compression logic then searches for matches with a linear scan. A malicious message with many records can both introduce many candidate labels, and invoke this...

5.3CVSS6.8AI score0.00801EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•10 views

NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

The NSEC3 closest-encloser proof validation in hickory-net's DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•10 views

Fragile bounds check when sampling from image

A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and 'dimension - 1'. This would not protect against malicious inputs that could overflow the...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•6 views

Fragile bounds check when sampling from image

A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/05/01 12:0 p.m.•9 views

Improper check of an invariant resulting in incorrect bounds checks

A bounds verification of a slice storage of a 2-dimensional matrix's coefficients a kernel would compare the total size against the product of individual dimensions. This would erroneously cast after the multiplication and consequently fail to detect possible violations when overflow occurs...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/30 12:0 p.m.•12 views

Unsound access to padding bytes while serializing date/time values using the Mysql backend

Diesel-async uses the mysql-async crate for interacting with Mysql compatible databases. This library already provides access to deserialized data for date/time releated types. Diesel-async then translated these deserialized data back to their serialized binary representation to hook into diesels...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/30 12:0 p.m.•12 views

Panic when allocating a table exceeding the size of the host's address space

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-p8xm-42r7-89xg For more information see the GitHub-hosted security advisory...

7.5CVSS5.2AI score0.00319EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/29 12:0 p.m.•7 views

DNS rebinding vulnerability in rmcp Streamable HTTP server transport

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send requests to an MCP server running on the victim's loopback or private-network interface. An attacker wh...

8.8CVSS5.8AI score0.00213EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/27 12:0 p.m.•7 views

`unpack_in` can chmod arbitrary directories by following symlinks

In versions 0.6.0 and earlier of astral-tokio-tar, the unpackin API could inadvertently modify the permissions of external i.e. non-archive directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its intend...

5.4AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/27 12:0 p.m.•11 views

PAX Header Desynchronization in astral-tokio-tar

Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected...

5.2AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/27 12:0 p.m.•11 views

AVX2 Implementation Did Not Fully Reduce Intermediate Values

The AVX2 implementation of ML-DSA did not fully reduce intermediate inputs to the inverse NTT, which leads to a testable difference in panic behaviour of internal functions compared to the portable implementation. Impact We are not aware of inputs to the public key generation, signing or...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/24 12:0 p.m.•15 views

Unsound transmute while debug/display printing batch Insert statements in Diesel's SQLite backend

Diesel allows users to output the generated SQL for any query DSL construct via th diesel::debugquery function as Display and Debug output. For the particular implementation used by batch Insert statements in the SQLite backend Diesel relied on an unspecified transmute between types with a reprru...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/24 12:0 p.m.•12 views

Unsound access to padding bytes while serializing date/time values using the Mysql backend

Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQLTIME type. Diesel replicated this type as reprC struct, populated all the fields of this struct and then casted this value ...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/24 12:0 p.m.•17 views

Possible unaligned data access for implementations of `SqliteAggregate`

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface. To store an instance of the custom aggregate processor Diesel relied on the sqlite3aggregatecontext function provided by sqlite. This function doesn't provide any guarantees about alignment of t...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/24 12:0 p.m.•14 views

Possible UTF-8 corruption in Diesels SQLite backend

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/24 12:0 p.m.•14 views

Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`

Diesel allows users to configure various options for PostgreSQL's COPY FROM and COPY TO statements. These configurations are partially provided as strings or characters. Diesel did not check if any these user-provided options contain a quote character ', which can lead to the injection of...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/23 12:0 p.m.•23 views

`sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/23 12:0 p.m.•18 views

Potential use-after-free due to lack of panic safety in `InlineVec::clear` and `SerVec::clear`

InlineVec::clear and SerVec::clear in rkyv were not panic-safe. Both functions iterate over their elements and call dropinplace on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocati...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/23 12:0 p.m.•14 views

bare-metal is deprecated

The bare-metal crate has been deprecated and archived. For Mutex and CriticalSection, see the critical-section crate instead...

5.2AI score
Exploits0
RustSec
RustSec
•added 2026/04/22 12:0 p.m.•13 views

`mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/22 12:0 p.m.•12 views

Record cache accepts AUTHORITY section NS from sibling zone via parent-pool zone-context elevation

The Hickory DNS project's experimental hickory-recursor crate's record cache DnsLru stores records from DNS responses keyed by each record's own name, type, not by the query that triggered the response. cacheresponse in crates/recursor/src/lib.rs chains ANSWER, AUTHORITY, and ADDITIONAL sections...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/04/22 12:0 p.m.•17 views

Reachable panic in certificate revocation list parsing

A panic was reachable when parsing certificate revocation lists via BorrowedCertRevocationList::fromder or OwnedCertRevocationList::fromder. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/21 12:0 p.m.•11 views

Broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

5.4AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/14 12:0 p.m.•13 views

Name constraints were accepted for certificates asserting a wildcard name

Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, .example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very simila...

6.5CVSS6.5AI score0.00274EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1141