Miggo Logo
Miggo Vulnerability Database
GHSA-fp5x-7m4q-449f

GHSA-fp5x-7m4q-449f: Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-fp5x-7m4q-449f
EPSS Score
-
CWE
CWE-908
Published
10/21/2025
Updated
10/21/2025
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
direct_ring_bufferrust< 0.2.20.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability originates in the direct_ring_buffer::create_ring_buffer function. The original implementation allocated memory for the ring buffer but did not initialize it, which is a violation of Rust's safety rules when dealing with types that have validity invariants (e.g., bool must be 0 or 1). The functions direct_ring_buffer::Producer::write_slices and direct_ring_buffer::Consumer::read_slices are the primary vectors for triggering this vulnerability. They create typed slices (&mut [T] and &[T]) from the uninitialized memory, which leads to undefined behavior when these slices are accessed. The fix, applied in version 0.2.2, addresses the root cause by changing create_ring_buffer to use resize_with to fill the buffer with default values, thus ensuring that the memory is always initialized. Therefore, any runtime profile of an exploitation attempt would likely show calls to write_slices or read_slices operating on a buffer created by the vulnerable version of create_ring_buffer.

Vulnerable functions

direct_ring_buffer::create_ring_buffer
src/lib.rs
This function is the root cause of the vulnerability. It allocated a buffer on the heap but failed to initialize the memory, leaving it in an indeterminate state. Subsequent operations that assume the memory is initialized would then lead to undefined behavior.
direct_ring_buffer::Producer::write_slices
src/lib.rs
This function serves as a runtime indicator for the vulnerability. It provides a closure with a mutable slice to the ring buffer's memory. When the buffer is uninitialized, creating a typed slice `&mut [T]` (for types other than `MaybeUninit<T>`) and writing to it constitutes undefined behavior. An attacker could exploit this to trigger memory corruption or other unpredictable behavior.
direct_ring_buffer::Consumer::read_slices
src/lib.rs
This function is another runtime indicator. It allows reading from the buffer via a slice. If parts of the buffer that are marked as 'used' have not been properly initialized (which is possible with the vulnerable `create_ring_buffer` function), then creating a typed slice `&[T]` and reading from it will read uninitialized memory, leading to undefined behavior.

WAF Protection Rules

WAF Rule

T** s*** *un*tion `*r**t*_rin*_*u***r` *llo**t*s * *u***r usin* `V**::wit*_**p**ity` *ollow** *y `s*t_l*n`, *r**tin* * `*ox<[T]>` *ont*inin* uniniti*liz** m*mory. T*is l***s to un***in** ****vior w**n *un*tions lik* `writ*_sli**s` *r**t* typ** sli**

Reasoning

T** vuln*r**ility ori*in*t*s in t** `*ir**t_rin*_*u***r::*r**t*_rin*_*u***r` *un*tion. T** ori*in*l impl*m*nt*tion *llo**t** m*mory *or t** rin* *u***r *ut *i* not initi*liz* it, w*i** is * viol*tion o* Rust's s***ty rul*s w**n ***lin* wit* typ*s t**