GHSA-xrrq-rrgq-h89w

Source

https://github.com/advisories/GHSA-xrrq-rrgq-h89w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xrrq-rrgq-h89w/GHSA-xrrq-rrgq-h89w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xrrq-rrgq-h89w

Published

2025-07-11T19:57:06Z

Modified

2025-07-11T19:57:06Z

Severity

0.0 (None) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

static-alloc vulnerability leads to uninitialized read after allocating MemBump

Details

The affected function, MemBump::new(), would allocate memory without initializing it. Subsequently calling the created value's various allocmethods would then read and write the start of that memory as a Cell which isundefined behavior. Instead, it should zero initialize the start of the allocated memory.

For instance, some values could violate the internal invariants of the type and cause an assertion failure. Nevertheless, no deterministic read is known tocause further uninitialized memory to be exposed.

Affected downstream users that can not upgrade are advised to call MemBump::reset immediately after allocation to manually perform the missing write of the counter best-as-possible.

The flaw was corrected in commit d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by zeroing the Cell at the start of the allocated memory.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-908"
    ],
    "nvd_published_at": null,
    "severity": "LOW",
    "github_reviewed_at": "2025-07-11T19:57:06Z"
}

References

Affected packages

crates.io / static-alloc

Package

Name: static-alloc; View open source insights on deps.dev
Purl: pkg:cargo/static-alloc

Affected ranges

Type: SEMVER
Events: Introduced

0.2.2

Fixed

0.2.6