N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wwxp-hxh6-8gf8

EPSS Score

CWE

CWE-120

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-wwxp-hxh6-8gf8

GHSA-wwxp-hxh6-8gf8: binary_vec_io access memory out-of-bounds in binary_read_to_ref and binary_write_from_ref

Safe functions accept a single &T or &mut T but multiply by n to create slices extending beyond allocated memory when n > 1.

These functions use from_raw_parts to create slices larger than the underlying allocation, violating memory safety.

The binary_vec_io repository is archived and unmaintained.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-wwxp-hxh6-8gf8

EPSS Score

CWE

CWE-120

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
binary_vec_io	rust	<= 0.1.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in two functions, binary_write_from_ref and binary_read_to_ref, within the binary_vec_io crate. These functions are marked as safe, meaning they should not cause undefined behavior regardless of the inputs. However, they both misuse unsafe blocks.

The core of the issue is that both functions accept a reference to a single instance of a generic type T (p: &T or p: &mut T), but also take a usize parameter n that specifies a number of elements to read or write. The functions then proceed to create a slice from the pointer p with a size of n * std::mem::size_of::<T>() bytes. When n is greater than 1, the created slice extends beyond the bounds of the single T that p points to. This leads to out-of-bounds memory access.

For binary_write_from_ref, this results in an out-of-bounds read from the memory region after p. For binary_read_to_ref, this results in an out-of-bounds write into the memory region after p.

This type of memory safety violation can be exploited to cause denial of service through a panic, or potentially lead to arbitrary code execution in some scenarios. The vulnerability is confirmed by the provided gist, which includes a proof-of-concept and Miri's undefined behavior detection output.

Vulnerable functions

binary_write_from_ref

binary_vec_io/src/lib.rs

The function takes a reference `p` to a single object of type `T` but creates a slice of `n` objects. If `n` is greater than 1, `std::slice::from_raw_parts` will create a slice that reads beyond the memory allocated for `p`, leading to an out-of-bounds read.

binary_read_to_ref

binary_vec_io/src/lib.rs

The function takes a mutable reference `p` to a single object of type `T` but creates a mutable slice to read `n` objects into. If `n` is greater than 1, `std::slice::from_raw_parts_mut` will create a slice that allows writing beyond the memory allocated for `p`, leading to an out-of-bounds write.

WAF Protection Rules

WAF Rule

S*** *un*tions ****pt * sin*l* `&T` or `&mut T` *ut multiply *y `n` to *r**t* sli**s *xt*n*in* **yon* *llo**t** m*mory w**n `n > *`. T**s* *un*tions us* `*rom_r*w_p*rts` to *r**t* sli**s l*r**r t**n t** un**rlyin* *llo**tion, viol*tin* m*mory s***ty

Reasoning

T** vuln*r**ility li*s in two *un*tions, `*in*ry_writ*_*rom_r**` *n* `*in*ry_r***_to_r**`, wit*in t** `*in*ry_v**_io` *r*t*. T**s* *un*tions *r* m*rk** *s s***, m**nin* t**y s*oul* not **us* un***in** ****vior r***r*l*ss o* t** inputs. *ow*v*r, t**y

N/A

Basic Information

Concerned about an active attack path?

GHSA-wwxp-hxh6-8gf8: binary_vec_io access memory out-of-bounds in binary_read_to_ref and binary_write_from_ref

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI