GHSA-qx2v-8332-m4fv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qx2v-8332-m4fv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qx2v-8332-m4fv/GHSA-qx2v-8332-m4fv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qx2v-8332-m4fv
- Aliases
- Related
- Published
- 2025-08-11T22:45:20Z
- Modified
- 2025-08-12T13:17:01Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- slab allows out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
- Details
-
Impact
The
get_disjoint_mutmethod in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes.Patches
This has been fixed in slab v0.4.11.
Workarounds
Avoid using
get_disjoint_mutwith indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later.References
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-119" ], "severity": "MODERATE", "github_reviewed_at": "2025-08-11T22:45:20Z", "nvd_published_at": "2025-08-11T23:15:28Z" }- References
-
- https://github.com/tokio-rs/slab/security/advisories/GHSA-qx2v-8332-m4fv
- https://nvd.nist.gov/vuln/detail/CVE-2025-55159
- https://github.com/tokio-rs/slab/pull/152
- https://github.com/tokio-rs/slab/commit/2d65c514bc964b192bab212ddf3c1fcea4ae96b8
- https://github.com/tokio-rs/slab
- https://rustsec.org/advisories/RUSTSEC-2025-0047.html
Affected packages
crates.io / slab
Package
- Name
- slab
- View open source insights on deps.dev
- Purl
- pkg:cargo/slab