Reported

October 21, 2025

Issued

October 22, 2025

Package

ncurses (crates.io)

Type

INFO Unsound

Categories

• memory-exposure

Keywords

#memory-safety #soundness

References

• https://github.com/RustSec/advisory-db/pull/2427

Patched

no patched versions

Affected Functions

Version

ncurses::inchnstr

• <=6.0.1

ncurses::inchstr

• <=6.0.1

ncurses::innstr

• <=6.0.1

ncurses::mvwinchnstr

• <=6.0.1

ncurses::mvwinchstr

• <=6.0.1

ncurses::mvwinnstr

• <=6.0.1

ncurses::winchnstr

• <=6.0.1

ncurses::winchstr

• <=6.0.1

ncurses::winnstr

• <=6.0.1

ncurses::winstr

• <=6.0.1

Description

Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found.

This allows reading uninitialized memory which may contain sensitive data from previous allocations.

The ncurses-rs repository is archived and unmaintained.

Advisory available under CC0-1.0 license.