Reported

January 19, 2026

Issued

April 2, 2026

Package

scaly (crates.io)

Type

INFO Unsound

References

• https://github.com/rustsec/advisory-db/issues/2594

Patched

no patched versions

Description

Affected versions contain multiple safe APIs that can trigger undefined behavior:

• Array<T>::index can perform an out-of-bounds read.
• String::get_length can perform an out-of-bounds read.
• String::append_character can perform an invalid write.
• String::to_c_string can perform an out-of-bounds write.

These issues were reproduced against scaly 0.0.37 under Miri. And the crate is unmaintained.

Advisory available under CC0-1.0 license.