RUSTSEC-2025-0042 – static-alloc

Package

Manager: cargo
Name: static-alloc
Vulnerable Version: >=0.2.2-0 <0.2.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Uninitialized read after allocating MemBump The affected function, `MemBump::new()`, would allocate memory without initializing it. Subsequently calling the created value's various `alloc` methods would then read and write the start of that memory as a `Cell` which is undefined behavior. Instead, it should zero initialize the start of the allocated memory. For instance, some values could violate the internal invariants of the type and cause an assertion failure. Nevertheless, no deterministic read is known to cause further uninitialized memory to be exposed. Affected downstream users that can not upgrade are advised to call `MemBump::reset` immediately after allocation to manually perform the missing write of the counter best-as-possible. The flaw was corrected in commit d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by zeroing the Cell at the start of the allocated memory.

Metadata

Created: 2025-07-11T12:00:00Z
Modified: 2025-07-11T10:38:44Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F138
Auto approve: 1