{"id":"RUSTSEC-2026-0134","summary":"Unsound access to padding bytes while serializing date/time values using the Mysql backend","details":"Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their `MYSQL_TIME` type.\n\nDiesel replicated this type as `#[repr(C)]` struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.\n\nThis vulnerability affects any user serializing date/time values using the Mysql backend.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now manually serializes the relevant data without accessing the padding bytes.","modified":"2026-05-13T14:30:06.407754Z","published":"2026-04-24T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/diesel"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0134.html"},{"type":"WEB","url":"https://github.com/diesel-rs/diesel/pull/5042"}],"affected":[{"package":{"name":"diesel","ecosystem":"crates.io","purl":"pkg:cargo/diesel"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"2.3.8"}]}],"ecosystem_specific":{"affects":{"functions":["diesel::serialize::ToSql\u003cDate,Mysql\u003e","diesel::serialize::ToSql\u003cDateTime,Mysql\u003e","diesel::serialize::ToSql\u003cTime,Mysql\u003e","diesel::serialize::ToSql\u003cTimestamp,Mysql\u003e"],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":"unsound","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0134.json","cvss":null,"categories":[]}}],"schema_version":"1.7.5"}