GHSA-x43w-ph7m-pfjx

Source

https://github.com/advisories/GHSA-x43w-ph7m-pfjx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-x43w-ph7m-pfjx/GHSA-x43w-ph7m-pfjx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x43w-ph7m-pfjx

Aliases

RUSTSEC-2025-0153

Published

2026-02-25T19:23:47Z

Modified

2026-02-26T06:26:18.675208Z

Severity

7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

hexchat crate has a Use After Free vulnerability

Details

All versions of this crate have function deregister_command which can result in use after free. This is unsound.

In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads.

In addition, the hexchat crate is no longer actively maintained. If users rely on this crate, consider switching to an alternative.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-02-25T19:23:47Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-416"
    ],
    "severity": "HIGH"
}

References

Affected packages

crates.io / hexchat

Package

Name: hexchat; View open source insights on deps.dev
Purl: pkg:cargo/hexchat

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.6.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-x43w-ph7m-pfjx/GHSA-x43w-ph7m-pfjx.json"