RUSTSEC-2026-0134

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0134

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0134.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0134

Published

2026-04-24T12:00:00Z

Modified

2026-05-13T14:30:06.407754Z

Summary

Unsound access to padding bytes while serializing date/time values using the Mysql backend

Details

Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQL_TIME type.

Diesel replicated this type as #[repr(C)] struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user serializing date/time values using the Mysql backend.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now manually serializes the relevant data without accessing the padding bytes.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / diesel

Package

Name: diesel; View open source insights on deps.dev
Purl: pkg:cargo/diesel

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

2.3.8

Ecosystem specific

{
    "affects": {
        "functions": [
            "diesel::serialize::ToSql<Date,Mysql>",
            "diesel::serialize::ToSql<DateTime,Mysql>",
            "diesel::serialize::ToSql<Time,Mysql>",
            "diesel::serialize::ToSql<Timestamp,Mysql>"
        ],
        "arch": [],
        "os": []
    },
    "affected_functions": null
}