{"id":"RUSTSEC-2026-0132","summary":"Potential out-of-bounds write via public `Context` fields","details":"The `Context` struct has all fields public (`pub d_len`, `pub digest`, etc.).\nExternal code can directly modify `d_len` to a value exceeding the `digest`\nvector length. When `reset()` is subsequently called,\n`self.digest[self.d_len as usize] = 0` indexes out of bounds, causing an\nout-of-bounds write.\n\nThis can be triggered through safe code — modifying public `Context` fields\nand then calling `reset()` — with no `unsafe` required.","modified":"2026-05-13T12:45:14.587142Z","published":"2026-05-02T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/ssdeep"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0132.html"},{"type":"REPORT","url":"https://github.com/rustysec/fuzzyhash-rs/issues/14"}],"affected":[{"package":{"name":"ssdeep","ecosystem":"crates.io","purl":"pkg:cargo/ssdeep"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"os":[],"arch":[]}},"database_specific":{"categories":["memory-corruption"],"cvss":null,"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0132.json"}}],"schema_version":"1.7.5"}