GHSA-x3f4-45xf-rjm7

Suggest an improvement
Source
https://github.com/advisories/GHSA-x3f4-45xf-rjm7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-x3f4-45xf-rjm7/GHSA-x3f4-45xf-rjm7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-x3f4-45xf-rjm7
Aliases
Published
2024-12-02T21:34:27Z
Modified
2025-10-28T06:29:53.957356Z
Summary
`ruzstd` uninit and out-of-bounds memory reads
Details

Affected versions of ruzstd miscalculate the length of the allocated and init section of its internal RingBuffer, leading to uninitialized or out-of-bounds reads in copy_bytes_overshooting of up to 15 bytes.

This may result in up to 15 bytes of memory contents being written into the decoded data when decompressing a crafted archive. This may occur multiple times per archive.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-125"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T21:34:27Z"
}
References

Affected packages

crates.io / ruzstd

Package

Name
ruzstd
View open source insights on deps.dev
Purl
pkg:cargo/ruzstd

Affected ranges

Type
SEMVER
Events
Introduced
0.7.0
Fixed
0.7.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-x3f4-45xf-rjm7/GHSA-x3f4-45xf-rjm7.json"