Lucene search
K
RustsecRecent

1141 matches found

RustSec
RustSec
•added 2026/04/14 12:0 p.m.•11 views

Name constraints for URI names were incorrectly accepted

Name constraints for URI names were ignored and therefore accepted. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented. URI name constraints are now rejected unconditionally. Since name constraints are restrictions on otherwis...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/14 12:0 p.m.•13 views

Use-After-Free and Double Free in IntoIter::drop When Element Drop Panics

A Double Free / Use-After-Free UAF vulnerability has been identified in the IntoIter::drop and ThinVec::clear implementations of the thin-vec crate. Both vulnerabilities share the same root cause and can trigger memory corruption using only safe Rust code - no unsafe blocks required. Undefined...

7.3CVSS5.7AI score0.00168EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2026/04/14 12:0 p.m.•18 views

core2 is unmaintained, all versions yanked

The maintainer decided stop maintaining crate and yanked all published versions. Potential alternatives: - embedded-io solves the same general problem - no-std-io2 is a maintained fork...

5.2AI score
Exploits0
RustSec
RustSec
•added 2026/04/13 12:0 p.m.•24 views

`safe-agent-rs` was removed from crates.io for being affiliated with malicious code

While safe-agent-rs did not directly contain malicious code, it was owned by the same user as pretty-changelog-logger and microsoftsystem64. safe-agent-rs also appeared to be imitating a different websocket library. We decided to remove it out of an abundance of caution. This crate had 2 versions...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/13 12:0 p.m.•26 views

`pretty-changelog-logger` was removed from crates.io for malicious code

pretty-changelog-logger contains a build script build.rs that acts as a loader/dropper for malicious payloads. The malicious crate had 3 versions published on 2026-04-08 that had a total of 2239 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecti...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/13 12:0 p.m.•12 views

`microsoftsystem64` was removed from crates.io for malicious code

microsoftsystem64 installs a hardcoded SSH authorizedkeys entry persistence/backdoor and scans for sensitive files .env, credential-like JSON names, keyword-matching docs, reads their contents, base64-encodes where needed, and exfiltrates everything to a remote server via HTTP. It also packages a...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•6 views

Use-after-free bug after cloning `wasmtime::Linker`

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 For more information see the GitHub-hosted security advisory...

5CVSS5.9AI score0.00117EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•11 views

Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv For more information see the GitHub-hosted security advisory...

8.1CVSS5.9AI score0.00376EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•7 views

Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w For more information see the GitHub-hosted security advisory...

9CVSS5.9AI score0.00319EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•9 views

Improperly masked return value from `table.grow` with Winch compiler backend

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory...

7.5CVSS5.9AI score0.00214EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•28 views

Panic when lifting `flags` component value

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq For more information see the GitHub-hosted security advisory...

7.5CVSS5.9AI score0.00324EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•28 views

Rand is unsound with a custom logger using `rand::rng()`

It has been reported by @lopopolo that the rand library is unsound i.e. that safe code using the public API can cause Undefined Behaviour when all the following conditions are met: - The log and threadrng features are enabled - A custom logger is defined - The custom logger accesses rand::rng...

5.7AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•6 views

Panic when transcoding misaligned component model UTF-16 strings

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 For more information see the GitHub-hosted security advisory...

6.5CVSS5.9AI score0.00354EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•8 views

Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on Cranelift x86-64

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory...

5.7CVSS5.9AI score0.00227EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•12 views

Data leakage between pooling allocator instances

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p For more information see the GitHub-hosted security advisory...

6.3CVSS5.9AI score0.00286EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•9 views

Host panic when Winch compiler executes `table.fill`

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory...

7.5CVSS5.9AI score0.00358EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•21 views

Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory...

9.9CVSS5.9AI score0.00278EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•9 views

`logprinter` was removed from crates.io for malicious code

The crate downloaded code from an external HTTP endpoint and executed it within its trace fn...

6AI score
Exploits0
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•8 views

Host data leakage with 64-bit tables and Winch

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946 For more information see the GitHub-hosted security advisory...

6.5CVSS5.9AI score0.00324EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/09 12:0 p.m.•140 views

Out-of-bounds write or crash when transcoding component model strings

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm For more information see the GitHub-hosted security advisory...

6.1CVSS5.9AI score0.00216EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/04/07 12:0 p.m.•12 views

zantetsu-ffi is unmaintained

The zantetsu-ffi crate is no longer maintained. The Node.js, Python, and C FFI bindings it provided were removed as part of the zantetsu 0.2 release, which refocused the project on its core Rust library. A tombstone version 0.2.0 has been published and 0.1.4 has been yanked. There is no replaceme...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/07 12:0 p.m.•8 views

zantetsu-trainer is unmaintained

The zantetsu-trainer crate is no longer maintained. The ML training infrastructure it contained was removed as part of the zantetsu 0.2 release, which replaced the neural parser with a pure heuristic engine. A tombstone version 0.2.0 has been published and 0.1.4 has been yanked. There is no...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/04/05 12:0 p.m.•10 views

`logtrace` was removed from crates.io for malicious code

logtrace appeared to be downloading a RAT. The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecting and reporting this to the crates.io team!...

5.9AI score
Exploits0
RustSec
RustSec
•added 2026/03/30 12:0 p.m.•8 views

Symbol confusion after hasher panic in `intaglio` interners

Affected versions of this crate can leave all SymbolTable variants in an internally inconsistent state if a custom BuildHasher panics during HashMap::insert and the caller recovers with catchunwind. The intern implementations committed a vec.push... before the matching map.insert... completed. If...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/29 12:0 p.m.•24 views

Potential Panic on Overlong Ciphertext Buffer

An application that passes in a ciphertext buffer of length greater than ptxt.len + TAGLEN to libcruxchacha20poly1305::encrypt or libcruxchacha20poly1305::xchacha20poly1305::encrypt would experience a panic. Impact An application where the length of the ciphertext buffer is under attacker control...

5.9AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-uds` is unmaintained

The tokio-uds crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•9 views

`tokio-reactor` is unmaintained

The tokio-reactor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•6 views

`tokio-udp` is unmaintained

The tokio-udp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-codec` is unmaintained

The tokio-codec crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the tokio-util crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-sync` is unmaintained

The tokio-sync crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-current-thread` is unmaintained

The tokio-current-thread crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•8 views

`tokio-compat` is unmaintained

The tokio-compat crate is unmaintained. It was part of the transition from Tokio 0.1 to 0.2...

5.8AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•8 views

`tokio-executor` is unmaintained

The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•9 views

`tokio-tls` is unmaintained

The tokio-tls crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-signal` is unmaintained

The tokio-signal crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•9 views

`tokio-threadpool` is unmaintained

The tokio-threadpool crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-tcp` is unmaintained

The tokio-tcp crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•10 views

`tokio-io` is unmaintained

The tokio-io crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•7 views

`tokio-fs` is unmaintained

The tokio-fs crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•10 views

`tokio-process` is unmaintained

The tokio-process crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•9 views

CRLs not considered authoritative by Distribution Point due to faulty matching logic

If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored. The impact was that correctly provided CRLs wou...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/20 12:0 p.m.•4 views

`tokio-timer` is unmaintained

The tokio-timer crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...

5.7AI score
Exploits0
RustSec
RustSec
•added 2026/03/19 12:0 p.m.•24 views

tar-rs incorrectly ignores PAX size headers if header size is nonzero

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518astral-cve, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the...

8.1CVSS7.4AI score0.00688EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2026/03/19 12:0 p.m.•11 views

`unpack_in` can chmod arbitrary directories by following symlinks

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadatafs-metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a...

6.5CVSS5.8AI score0.00379EPSS
Exploits1Affected Software1
RustSec
RustSec
•added 2026/03/19 12:0 p.m.•8 views

CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...

9.1CVSS5.8AI score0.00252EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/19 12:0 p.m.•8 views

CRL Distribution Point Scope Check Logic Error in AWS-LC

A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point IDP extensions. Customers of AWS services do not...

9.1CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/19 12:0 p.m.•42 views

AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid DNS identifiers, causing NAMECONSTRAINTScheckCN to skip validation. However,...

5.8AI score
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/17 12:0 p.m.•8 views

Decompressing invalid data can leak information from uninitialized memory or reused output buffer

Decompressing invalid LZ4 data with the block API can leak data from uninitialized memory, or leak content from previous decompression operations when reusing an output buffer. The LZ4 block format defines a "match copy operation" which duplicates previously written data or data from a...

8.2CVSS5.9AI score0.00608EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/17 12:0 p.m.•9 views

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

6.3CVSS5.7AI score0.00249EPSS
Exploits0Affected Software1
RustSec
RustSec
•added 2026/03/14 12:0 p.m.•16 views

`tracing-ethers` was removed from crates.io due to malicious code

The tracing-ethers crate attempted to exfiltrate ssh keys to an app hosted on vercel.app The malicious crate had 9 version published on 2026-03-09 approximately 5 days before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io. Thanks to the...

5.8AI score
Exploits0
Total number of security vulnerabilities1141