RUSTSEC-2026-0129

Buffer overflow in Clusterings::from_i32_column_major_order()

Reported

May 2, 2026

Issued

May 13, 2026

Package

dahl-salso (crates.io)

Type

INFO Unsound

Categories

memory-corruption

Keywords

#out-of-bounds #buffer-overflow

References

https://github.com/dbdahl/rust-dahl-salso/issues/1

Patched

>=0.6.8

Description

The from_i32_column_major_order method can create inconsistent internal state. When labels length and n_items mismatch, n_clusterings becomes labels.len() / n_items (truncated), but subsequent calls to label() use indices that exceed the internal data bounds, causing a buffer overflow.

For example, Clusterings::from_i32_column_major_order(&[1,2,3,4,5], 3) creates clusterings with n_clusterings = 5/3 = 1. Then clusterings.label(1, 0) accesses index 1*3 = 3, but only 3 elements exist (indices 0,1,2), causing out-of-bounds access.

This can be triggered through safe public APIs — from_i32_column_major_order() and label() — with no unsafe required from the caller.

Advisory available under CC0-1.0 license.