GHSA-fp5x-7m4q-449f

Source

https://github.com/advisories/GHSA-fp5x-7m4q-449f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-fp5x-7m4q-449f/GHSA-fp5x-7m4q-449f.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fp5x-7m4q-449f

Aliases

RUSTSEC-2025-0105

Published

2025-10-21T21:57:31Z

Modified

2025-10-28T06:29:51.664751Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer

Details

The safe function create_ring_buffer allocates a buffer using Vec::with_capacity followed by set_len, creating a Box<[T]> containing uninitialized memory.

This leads to undefined behavior when functions like write_slices create typed slices (e.g., &mut [bool]) over the uninitialized memory, violating Rust's validity invariants. The issue has been confirmed using Miri.

Fixed in version 0.2.2 by using resize_with to properly initialize the buffer with T::default(), adding a T: Default bound to ensure sound initialization.

Database specific

{
    "cwe_ids": [
        "CWE-908"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2025-10-21T21:57:31Z",
    "severity": "LOW"
}

References

Affected packages

crates.io / direct_ring_buffer

Package

Name: direct_ring_buffer; View open source insights on deps.dev
Purl: pkg:cargo/direct_ring_buffer

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.2.2