RUSTSEC-2026-0132

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0132
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0132.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0132
Withdrawn
2026-05-17T12:00:00Z
Published
2026-05-02T12:00:00Z
Modified
2026-05-17T20:15:11.414569Z
Summary
Potential out-of-bounds write via public `Context` fields
Details

The Context struct has all fields public (pub d_len, pub digest, etc.). Code from other modules within the same crate can directly modify d_len to a value exceeding the digest vector length. When reset() is subsequently called, self.digest[self.d_len as usize] = 0 becomes an out-of-bounds write.

Withdrawal

This advisory has been withdrawn because the above unsoundness cannot be triggered in safe code by dependents of the crate, as the Context struct is not public. It merely represents an opportunity for improvement for the crate's internals.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / ssdeep

Package

Name
ssdeep
View open source insights on deps.dev
Purl
pkg:cargo/ssdeep

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    }
}

Database specific

categories 
[
    "memory-corruption"
]
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0132.json"
informational 
"unsound"
cvss 
null