RUSTSEC-2026-0008

Potential undefined behavior when dereferencing Buf struct

Reported

February 2, 2026

Issued

February 4, 2026

Package

git2 (crates.io)

Type

INFO Unsound

Categories

memory-corruption

Keywords

#undefined-behavior

References

https://github.com/rust-lang/git2-rs/pull/1213

Patched

>=0.20.4

Description

if we dereference the Buf struct right after calling new() or default() on Buf struct, it passes Null Pointer to the unsafe function slice::from_raw_parts. Based on the safety section documentation of function, data must be non-null and aligned even for zero-length slices or slices of ZSTs. Thus, passing Null Pointer will lead to undefined behavior.

Advisory available under CC0-1.0 license.