Fluid Attacks Database

Description

Out-of-bounds read in bytes_helper public safe functions The bytes_helper module contains multiple public functions (into_arr4(), into_arr2(), u8_from_le_bytes()) that use slice.get_unchecked(pos..pos + N) without verifying that pos + N <= slice.len(). These are public safe API functions, allowing any caller to trigger undefined behavior by passing invalid positions.

For example, calling into_arr4(&data, 10) where data is a 3-byte slice causes an out-of-bounds access since position 10 exceeds the slice length.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	rustdx	>=0.0.0-0 <0.4.4	0.4.4

Aliases

1. OSV-RUSTSEC-2026-01232. GCVE-RUSTSEC-2026-01233. rustsec.org

References

1. https://github.com/zjp-CN/rustdx/issues/38

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.