RUSTSEC-2026-0134

Unsound access to padding bytes while serializing date/time values using the Mysql backend

Reported

April 24, 2026

Issued

May 13, 2026

Package

diesel (crates.io)

Type

INFO Unsound

References

https://github.com/diesel-rs/diesel/pull/5042

Patched

>=2.3.8

Affected Functions

Version

diesel::serialize::ToSql<Date,Mysql>

<2.3.8

diesel::serialize::ToSql<DateTime,Mysql>

<2.3.8

diesel::serialize::ToSql<Time,Mysql>

<2.3.8

diesel::serialize::ToSql<Timestamp,Mysql>

<2.3.8

Description

Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQL_TIME type.

Diesel replicated this type as #[repr(C)] struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.

This vulnerability affects any user serializing date/time values using the Mysql backend.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.

Resolution

Diesel now manually serializes the relevant data without accessing the padding bytes.

Advisory available under CC0-1.0 license.