GHSA-Q8X8-JRHJ-FH9P
Vulnerability from github – Published: 2026-05-19 19:39 – Updated: 2026-05-19 19:39Diesel allows to register custom aggregate SQL functions for SQLite via the SqliteAggregate interface.
To store an instance of the custom aggregate processor Diesel relied on the sqlite3_aggregate_context function provided by sqlite. This function doesn't provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom #[align(x)] attribute on the type implementing this trait. This affects any user of SqliteAggregate that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.
Mitigation
The preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "diesel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-188"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:39:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Diesel allows to register custom aggregate SQL functions for SQLite via the `SqliteAggregate` interface.\n\nTo store an instance of the custom aggregate processor Diesel relied on the `sqlite3_aggregate_context` function provided by sqlite. This function doesn\u0027t provide any guarantees about alignment of the returned allocation, which in turn can lead to problems if the type implementing requires a special alignment, e.g. via a custom `#[align(x)]` attribute on the type implementing this trait. This affects any user of `SqliteAggregate` that registers the custom aggregate function with an SQLite connection, while using a non-standard alignment on the type implementing this trait.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to a Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now allocates the corresponding memory on Rust side to get a correctly aligned allocation.",
"id": "GHSA-q8x8-jrhj-fh9p",
"modified": "2026-05-19T19:39:38Z",
"published": "2026-05-19T19:39:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/diesel-rs/diesel/pull/5042"
},
{
"type": "PACKAGE",
"url": "https://github.com/diesel-rs/diesel"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0137.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Diesel: Possible unaligned data access for implementations of `SqliteAggregate`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.