RUSTSEC-2021-0054

Archives may contain uninitialized memory

Issued
Package
rkyv (crates.io)
Type
Vulnerability
Categories
  • memory-exposure
Details
https://github.com/djkoloski/rkyv/issues/113
Patched
  • >=0.6.0
Keywords
  • uninitialized
  • memory
  • information
  • leak
Affected Functions
Version
rkyv::Archive::resolve
  • <0.6.0

Description

rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels.

More