GHSA-XRRQ-RRGQ-H89W
Vulnerability from github – Published: 2025-07-11 19:57 – Updated: 2025-07-11 19:57The affected function, MemBump::new(), would allocate memory without initializing it. Subsequently calling the created value's various allocmethods would then read and write the start of that memory as a Cell which isundefined behavior. Instead, it should zero initialize the start of the allocated memory.
For instance, some values could violate the internal invariants of the type and cause an assertion failure. Nevertheless, no deterministic read is known tocause further uninitialized memory to be exposed.
Affected downstream users that can not upgrade are advised to call MemBump::reset immediately after allocation to manually perform the missing write of the counter best-as-possible.
The flaw was corrected in commit d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by zeroing the Cell at the start of the allocated memory.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "static-alloc"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.2"
},
{
"fixed": "0.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-908"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-11T19:57:06Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The affected function, `MemBump::new()`, would allocate memory without initializing it. Subsequently calling the created value\u0027s various `alloc`methods would then read and write the start of that memory as a `Cell` which isundefined behavior. Instead, it should zero initialize the start of the allocated memory.\n\nFor instance, some values could violate the internal invariants of the type and cause an assertion failure. Nevertheless, no deterministic read is known tocause further uninitialized memory to be exposed.\n\nAffected downstream users that can not upgrade are advised to call `MemBump::reset` immediately after allocation to manually perform the missing write of the counter best-as-possible.\n\nThe flaw was corrected in commit d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967 by zeroing the Cell at the start of the allocated memory.",
"id": "GHSA-xrrq-rrgq-h89w",
"modified": "2025-07-11T19:57:06Z",
"published": "2025-07-11T19:57:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/197g/static-alloc/issues/81"
},
{
"type": "WEB",
"url": "https://github.com/197g/static-alloc/pull/82/commits/d8d6a7d096d3aaafd963b356a8f1bbd8d26fd967"
},
{
"type": "WEB",
"url": "https://github.com/197g/static-alloc"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0042.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "static-alloc vulnerability leads to uninitialized read after allocating MemBump"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.