This advisory has been withdrawn and should be ignored. It is kept only for reference.

Reported

May 2, 2026

Issued

May 13, 2026 (last modified: May 17, 2026)

Package

ssdeep (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Keywords

#out-of-bounds #encapsulation

References

• https://github.com/rustysec/fuzzyhash-rs/issues/14

Patched

no patched versions

Description

The Context struct has all fields public (pub d_len, pub digest, etc.). Code from other modules within the same crate can directly modify d_len to a value exceeding the digest vector length. When reset() is subsequently called, self.digest[self.d_len as usize] = 0 becomes an out-of-bounds write.

Withdrawal

This advisory has been withdrawn because the above unsoundness cannot be triggered in safe code by dependents of the crate, as the Context struct is not public. It merely represents an opportunity for improvement for the crate's internals.

Advisory available under CC0-1.0 license.