Reported

September 3, 2023

Issued

September 16, 2024 (last modified: October 28, 2025)

Package

lexical-core (crates.io)

Type

INFO Unsound

Aliases

• GHSA-2326-pfpj-vx3h

References

• https://github.com/Alexhuszagh/rust-lexical/issues/102
• https://github.com/Alexhuszagh/rust-lexical/issues/101
• https://github.com/Alexhuszagh/rust-lexical/issues/95
• https://github.com/Alexhuszagh/rust-lexical/issues/104
• https://github.com/Alexhuszagh/rust-lexical/issues/126

Related

• RUSTSEC-2023-0055

Patched

• >=1.0.0

Description

RUSTSEC-2024-0377 contains multiple soundness issues:

1. Bytes::read() allows creating instances of types with invalid bit patterns
2. BytesIter::read() advances iterators out of bounds
3. The BytesIter trait has safety invariants but is public and not marked unsafe
4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

Advisory available under CC0-1.0 license.