RUSTSEC-2026-0137

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0137

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0137.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0137

Aliases

GHSA-q8x8-jrhj-fh9p

Published

2026-04-24T12:00:00Z

Modified

2026-05-20T07:15:03.921524485Z

Summary

Possible unaligned data access for implementations of `SqliteAggregate`

Details

Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface.

To store an instance of the custom aggregate processor Diesel relied on the sqlite3_aggregate_context function provided by sqlite. This function doesn't provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom #[align(x)] attribute on the type implementing this trait. This affects any user of SqliteAggregate that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.

Mitigation

The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / diesel

Package

Name: diesel; View open source insights on deps.dev
Purl: pkg:cargo/diesel

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

2.3.8

Ecosystem specific

{
    "affects": {
        "functions": [
            "diesel::sqlite::SqliteAggregate"
        ],
        "arch": [],
        "os": []
    },
    "affected_functions": null
}