RUSTSEC-2026-0184

Potential undefined behavior with Signature from a buffer-created BlameHunk

Reported

May 13, 2026

Issued

June 17, 2026

Package

git2 (crates.io)

Type

INFO Unsound

Keywords

#git2

References

https://github.com/rust-lang/git2-rs/pull/1254

Patched

>=0.21.0

Description

When a Blame is created via Blame::blame_buffer(), and a BlameHunk is retrieved, the pointers to the original author, original committer, final author, and final committer may be null if unavailable. The corresponding BlameHunk methods then create Signatures based on null pointers; attempting to access the data of the Signatures leads to dereferencing null pointers.

Advisory available under CC0-1.0 license.