Lack of sufficient checks in public API

The following functions in the anon-vec crate are unsound due to insufficient checks on their arguments:: - AnonVec::getref - AnonVec::getmut - AnonVec::removeget The crate was built as a learning project and is not being maintained...

soundness issue and unmaintained

wrenrust::macros::defaultrealloc lacks sufficient checks to it pointer parameter which passed into free and realloc wrenrust is unmaintained...

soundness issue and unmaintained

shaman::cryptoutil::writeu64vle and other functions mentioned above cannot garantee memory safety of getunchecked later if both length are zero. shaman is unmaintained...

soundness issue and unmaintained

FastMap::get lacks sufficient checks to its parameter index and is used to unsafely get a Vec element. fastidmap is unmaintained...

Unsound issue in Trailer

Our static analyzer find a potential unsound issue in the construction of Trailer, where it doesn't provide enough check to ensure the soundness. trailer/src/lib.rs, Lines 18 to 25 in d474984: pub fn newcapacity: usize - Trailer unsafe let trailer = Trailer::allocatecapacity; let ptr = trailer.pt...

Panic in mp3-metadata due to the lack of bounds checking

The getid3 methods used by mp3metadata::readfromslice does not perform adequate bounds checking when recreating the tag due to the use of desynchronization. Fixed in Fix index error, released as part of 0.4.0...

rustc-serialize is unmaintained

rustc-serialize will no longer be maintained as declared by the developer. By fuzzing the package, we can identify multiple vulnerabilities. The project has been archived and cannot submit issues. The developer has recommended using the serde crate instead...

Possible unsound public API

The public accessible struct SyncVec has a public safe method getunchecked. It accept a parameter index and used in the getunchecked without sufficient checks as mentioned here...

`DTriangle` accessors may read out of bounds in affected versions

In affected versions, DTriangle::neighborbyorder and DTriangle::vertexbyorder were public safe functions that accepted an arbitrary order value. These functions used order to access fixed-size internal arrays with getunchecked, without checking whether order was within bounds. Calling these metho...

Unsound public API in unmaintained crate

The following functions in the tantonengine crate are unsound due to lack of sufficient boundary checks in public API: - Stack::offset - ThreadStack::get - RootMoveList::insertscoredepth - RootMoveList::insertscore The tantonengine crate is no longer maintained, so there are no plans to fix this...

Out of bounds access in public safe API

Rows::rowunchecked allows out of bounds access to the underlying buffer without sufficient checks. The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead...

Multiple soundness issues in `macroquad`

Several soundness issues have been reported. Resolving them doesn't seem to be considered a priority. In particular, unprincipled use of mutable statics is pervasive throughout the library, making it possible to cause use-after-free in safe code. Currently, no fixed version is available...

`VMABuffer::set_data` may allow out-of-bounds writes from safe code

VMABuffer::setdata was a publicly accessible safe function. It accepted an arbitrary offset and a data slice, then used the offset in unsafe pointer arithmetic before copying the slice into a mapped allocation. Affected versions did not check that the requested write range fit within the allocati...

crossbeam-channel: double free on Drop

The internal Channel type's Drop method has a race which could, in some circumstances, lead to a double-free. This could result in memory corruption. Quoting from the upstream description in merge request \1187: The problem lies in the fact that dicardallmessages contained two paths that could le...

Broadcast channel calls clone in parallel, but does not require `Sync`

The broadcast channel internally calls clone on the stored value when receiving it, and only requires T:Send. This means that using the broadcast channel with values that are Send but not Sync can trigger unsoundness if the clone implementation makes use of the value being !Sync. Thank you to...

Use-After-Free in `Md::fetch` and `Cipher::fetch`

When a Some... value was passed to the properties argument of either of these functions, a use-after-free would result. In practice this would nearly always result in OpenSSL treating the properties as an empty string due to CString::drop's behavior. The maintainers thank quitbug for reporting th...

SHA-1 collision attacks are not detected

Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...

Risk of buffer overflow in `PyString::from_object`

PyString::fromobject took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read by raising a Python exception...

Public API without sufficient bounds checking

Match::get and Match::ptr lack sufficient bounds checks, leading to potential out of bounds reads...

`array-init-cursor` in version 0.2.0 and below is unsound when used with types that implement `Drop`

The Drop implementation will get run twice when using the cursor. This issue does not affect you, if you are using only using the crate with types that are Copy such as u8. This issue also does not affect you, if you are only depending on it through the crate planus...

Safe API can cause heap-buffer-overflow

ffi::nstr should be marked unsafe, since a pointer to a buffer without a trailing 0 value will cause a heap buffer overflow...

Potential out-of-bounds read with a malformed ELF file and the HashTable API.

Affected versions of this crate only validated the index argument of HashTable::getbucket and HashTable::getchain against the input-controlled bucketcount and chaincount fields, but not against the size of the ELF section. As a result, a malformed ELF file could trigger out-of-bounds reads in a...

The `trust-dns` project has been rebranded to `hickory-dns`

The trust-dns-proto crate is now available as hickory-proto...

Use after free in `Parc` and `Prc` due to missing lifetime constraints

Affected versions of this crate didn't provide sufficient lifetime constraints to conversion functions from alloc::sync::Arc and alloc::rc::Rc, which made it possible to create projections of these reference counted pointers. Unlike the original reference counted pointers, these projections could...

World Writable Directory in /var/log/below Allows Local Privilege Escalation

Below is a tool for recording and displaying system data like hardware utilization and cgroup information on Linux. Symlink Attack in /var/log/below/errorroot.log Below's systemd service runs with full root privileges. It attempts to create a world-writable directory in /var/log/below. Even if th...

`tree-sitter-pkl` was removed from crates.io for malicious code

tree-sitter-pkl was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in March 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

humantime is unmaintained

Latest humantime crates.io release is four years old and GitHub repository has not seen commits in four years. Question about maintenance status has not gotten any reaction from maintainer: https://github.com/tailhook/humantime/issues/31 Update: maintained again The maintainer has responded and...

Some AES functions may panic when overflow checking is enabled.

ring::aead::quic::HeaderProtectionKey::newmask may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 232 packets sent and/or received. On 64-bit targe...

Versions of *ring* prior to 0.17 are unmaintained.

ring 0.16.20 was released over 4 years ago and isn't maintained, tested, etc. Additionally, the project's general policy is to only patch the latest release, which is 0.17.12 now. It will be difficult for anybody to backport future fixes to versions earlier than 0.17.10 due to license changes...

`backoff` is unmaintained.

The backoff crate is no longer actively maintained. For exponential backoffs/retrying, you can use the backon crate...

`openpgp-card-sequoia` is unmaintained.

The openpgp-card-sequoia crate is no longer actively maintained. You can use the openpgp-card-rpgp crate for OpenPGP card client functionality instead...

Openh264 Decoding Functions Heap Overflow Vulnerability

OpenH264 recently reported a heap overflow that was fixed in upstream 63db555 and integrated into our 0.6.6 release. For users relying on Cisco's pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version 2.6.0. In other words: - if you rely on our source...

resolve is unmaintained

resolve crate's GitHub repository is archived with no commits for seven years. Latest crates.io release is also seven years old. Possible alternatives hickory-resolver...

*ring* is unmaintained

The author has announced an indefinite hiatus in its development, noting that any reported security vulnerabilities may go unaddressed for prolonged periods of time. Update: security maintenance only After this advisory was published, the author graciously agreed to give access to the rustls team...

Denial of Service via malicious Web Push endpoint

Prior to version 0.10.3, the built-in clients of the web-push crate eagerly allocated memory based on the Content-Length header returned by the Web Push endpoint. Malicious Web Push endpoints could return a large Content-Length without ever having to send as much data, leading to denial of servic...

`sophosfirewall-python` was removed from crates.io for malicious code

sophosfirewall-python was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 6 versions published in February 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

totally-safe-transmute allows transmuting any type to any other type in safe Rust

This crate is a toy and should never be used. It showcases a known soundness issue https://github.com/rust-lang/rust/issues/32670 that will never get fixed. In short, Linux provides a file called /proc/self/mem which can be used by a program to modify its own memory. This library modifies an enum...

cve-rs introduces memory vulnerabilities in safe Rust

This crate is a joke and should never be used. cve-rs provides demonstrations of common memory vulnerabilities such as buffer overflows and segfaults implemented completely within safe Rust. Internally, this crate does not use unsafe code, it instead exploits a soundness bug in rustc:...

`rands` was removed from crates.io for malicious code

This crate attempted to typosquat the rand crate, and would link in a malware payload on macOS and Linux hosts when built. This advisory is to retrospectively document this attempted attack. The version information and download records of the malicious crate are no longer available. The related...

totally-safe introduces memory vulnerabilities in safe Rust

totally-safe provides unsound APIs that exploit a soundness bug in rustc: https://github.com/rust-lang/rust/issues/25860...

Hickory DNS failure to verify self-signed RRSIG for DNSKEYs

Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...

ssl::select_next_proto use after free

In openssl versions before 0.10.70, ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This coul...

`custom-req-on-workers` was removed from crates.io for malicious code

custom-req-on-workers was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in January 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

`jfrog_quotes` was removed from crates.io for malicious code

jfrogquotes was part of a campaign that attempted to exfiltrate environmental data from the host. The malicious crate had 1 version published in January 2025, and had no evidence of actual usage. This crate had no dependencies on crates.io...

gix-worktree-state nonexclusive checkout sets executable files world-writable

Summary gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some...

`root` appended to group listings

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups. This affects both: - The supplementary groups of a user - The group access list of the current process If the caller uses this information for access control, this may lead to privilege escalation...

libsecp256k1 is unmaintained

The maintainers recommend using k256 instead...

Segmentation fault due to lack of bound check

In this case, the "fastfloat2::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses...

Segmentation fault due to lack of bound check

In this case, the "fastfloat::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses...

Out of bounds write triggered by crafted coverage data

Function grcov::covdir::getcoverage uses the unsafe function getuncheckedmut without validating that the index is in bounds. This results in memory corruption, and could potentially allow arbitrary code execution provided that an attacker can feed the tool crafted coverage data...