Reported

May 2, 2026

Issued

May 13, 2026

Package

ssdeep (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Keywords

#out-of-bounds #encapsulation

References

• https://github.com/rustysec/fuzzyhash-rs/issues/14

Patched

no patched versions

Description

The Context struct has all fields public (pub d_len, pub digest, etc.). External code can directly modify d_len to a value exceeding the digest vector length. When reset() is subsequently called, self.digest[self.d_len as usize] = 0 indexes out of bounds, causing an out-of-bounds write.

This can be triggered through safe code — modifying public Context fields and then calling reset() — with no unsafe required.

Advisory available under CC0-1.0 license.