RUSTSEC-2026-0183

Potential undefined behavior when calling Remote::list()

Reported

May 12, 2026

Issued

June 17, 2026

Package

git2 (crates.io)

Type

INFO Unsound

Keywords

#git2

References

https://github.com/rust-lang/git2-rs/pull/1250

Patched

>=0.21.0

Description

When calling Remote::list() for a remote of a git repository, when that remote does not advertise any references, git2 passes a null pointer to the unsafe function slice::from_raw_parts(). Based on the safety section documentation of function, data must be non-null even for slices of length zero. Thus, the use of a null pointer leads to undefined behavior.

Advisory available under CC0-1.0 license.