RUSTSEC-2026-0184

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0184
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0184.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0184
Published
2026-05-13T12:00:00Z
Modified
2026-06-17T14:00:05.672935662Z
Summary
Potential undefined behavior with Signature from a buffer-created BlameHunk
Details

When a Blame is created via Blame::blame_buffer(), and a BlameHunk is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding BlameHunk methods then create Signatures based on null pointers; attempting to access the data of the Signatures leads to dereferencing null pointers.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / git2

Package

Name
git2
View open source insights on deps.dev
Purl
pkg:cargo/git2

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.21.0

Ecosystem specific 

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

categories 
[]
informational 
"unsound"
cvss 
null
source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0184.json"