N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-h5j3-crg5-8jqm

EPSS Score

CWE

CWE-119

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-h5j3-crg5-8jqm

GHSA-h5j3-crg5-8jqm: orx-pinned-vec has undefined behavior in index_of_ptr with empty slices

The safe function index_of_ptr causes undefined behavior when called with an empty slice.

The issue occurs in the line ptr.add(slice.len() - 1) which underflows when slice.len() is 0, creating a pointer with a massive offset. According to Rust's safety rules, creating such a pointer causes immediate undefined behavior.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-h5j3-crg5-8jqm

EPSS Score

CWE

CWE-119

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
orx-pinned-vec	rust	< 3.21.0	3.21.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the index_of_ptr function within the orx-pinned-vec crate. The provided patch directly modifies this function to fix an integer underflow that leads to undefined behavior. The vulnerable code path is triggered when an empty slice is passed to the function. The problematic line ptr.add(slice.len() - 1) attempts to calculate the end of the slice, but for an empty slice, slice.len() is 0, causing an underflow. This results in the creation of an out-of-bounds pointer, which is considered undefined behavior in Rust. The fix replaces the manual pointer arithmetic with a safer method slice.as_ptr_range().contains() to check if the pointer is within the slice's bounds. Therefore, any runtime profile of an exploit of this vulnerability would show the index_of_ptr function.

Vulnerable functions

index_of_ptr

src/utils/slice.rs

The function `index_of_ptr` is vulnerable to an integer underflow. When the input `slice` has a length of 0, the expression `slice.len() - 1` underflows, resulting in a large positive number. This value is then used as an offset in `ptr.add()`, creating a pointer far outside the bounds of the slice. According to Rust's safety guarantees, creating such a pointer, even without dereferencing it, constitutes immediate undefined behavior. The vulnerable code was replaced with `slice.as_ptr_range().contains(&element_ptr)` which correctly handles empty slices.

WAF Protection Rules

WAF Rule

T** s*** *un*tion `in**x_o*_ptr` **us*s un***in** ****vior w**n **ll** wit* *n *mpty sli**. T** issu* o**urs in t** lin* `ptr.***(sli**.l*n() - *)` w*i** un**r*lows w**n `sli**.l*n()` is *, *r**tin* * point*r wit* * m*ssiv* o**s*t. ***or*in* to Rust

Reasoning

T** vuln*r**ility li*s in t** `in**x_o*_ptr` *un*tion wit*in t** `orx-pinn**-v**` *r*t*. T** provi*** p*t** *ir**tly mo*i*i*s t*is *un*tion to *ix *n int***r un**r*low t**t l***s to un***in** ****vior. T** vuln*r**l* *o** p*t* is tri***r** w**n *n *m

N/A

Basic Information

Concerned about an active attack path?

GHSA-h5j3-crg5-8jqm: orx-pinned-vec has undefined behavior in index_of_ptr with empty slices

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI