GHSA-7mcq-f592-pf7v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7mcq-f592-pf7v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7mcq-f592-pf7v/GHSA-7mcq-f592-pf7v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7mcq-f592-pf7v
- Published
- 2025-07-16T14:18:46Z
- Modified
- 2025-07-16T14:18:46Z
- Severity
-
- 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Slice Ring Buffer and Slice Deque contains four unique double-free vulnerabilities triggered through safe APIs
- Details
-
The crate
slice-ring-bufferwas developed as a fork ofslice-dequeto continue maintenance and provide security patches, since the latter has been officially unmaintained (RUSTSEC-2020-0158).While
slice-ring-bufferhas addressed some previously reported memory safety issues inherited from its fork origin (RUSTSEC-2021-0047), it still retains multiple unresolved memory corruption vulnerabilities.Specifically, we have discovered four new memory safety bugs, each resulting in double-free violations that can occur when only safe APIs are invoked. These vulnerabilities correspond to four distinct safe APIs in the crate, each exposing unsound and vulnerable behavior due to incorrect usage of unsafe code internally.
Unfortunately, the maintainer doesn't have much availability to resolve these issues so there's no concrete timeline for fixes. Community contributions towards fixing these vulnerabilities would be much appreciated.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-415" ], "severity": "HIGH", "github_reviewed_at": "2025-07-16T14:18:46Z", "nvd_published_at": null }- References
Affected packages
crates.io / slice-deque
Package
- Name
- slice-deque
- View open source insights on deps.dev
- Purl
- pkg:cargo/slice-deque
crates.io / slice-ring-buffer
Package
- Name
- slice-ring-buffer
- View open source insights on deps.dev
- Purl
- pkg:cargo/slice-ring-buffer