RustSec logo

HistoryEditJSON (OSV)

RUSTSEC-2026-0197

Matrix{2,3,4}::swap_columns can trigger undefined behavior for identical indices

Reported
Issued
Package
cgmath (crates.io)
Type
INFO Unsound
Categories
Keywords
#soundness #undefined-behavior #aliasing #stacked-borrows
References
Patched
no patched versions
Affected Functions
Version
cgmath::Matrix2::swap_columns
  • =0.18.0
cgmath::Matrix3::swap_columns
  • =0.18.0
cgmath::Matrix4::swap_columns
  • =0.18.0

Description

The Matrix2::swap_columns, Matrix3::swap_columns, and Matrix4::swap_columns implementations call ptr::swap(&mut self[a], &mut self[b]).

When a == b, these safe APIs create two mutable references to the same matrix column and pass them to ptr::swap. This violates Rust's aliasing rules and can trigger undefined behavior. The issue can be reproduced from safe Rust by calling swap_columns with identical column indices, for example m.swap_columns(0, 0).

A minimal fix is to return early when the two column indices are equal before calling ptr::swap.

Advisory available under CC0-1.0 license.