Miggo Logo

GHSA-x77x-7mmh-cxv3: ncurses exposes uninitialized memory in string reading functions

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
Published
10/22/2025
Updated
10/22/2025
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
ncursesrust<= 6.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in a common pattern across multiple string-reading functions in the ncurses-rs library. These functions allocate a buffer (either a Vec<chtype> or a String) and pass it to an underlying C function from the ncurses library to be filled with data read from the screen. The core of the vulnerability is in the logic that determines the length of the data read. In cases where the underlying C function does not find a null terminator in the input, these wrapper functions incorrectly assume that the entire buffer capacity has been filled with valid data. They do this by calling s.set_len(capacity). This action makes uninitialized memory, which may contain sensitive data from previous operations, accessible as if it were valid string or vector content. The analysis of the src/lib.rs file reveals 11 functions that explicitly follow this flawed pattern. An additional function, wgetnstr, has a similar issue where it sets the buffer length to its capacity before the read, and then iterates over it, potentially reading uninitialized memory. Several other functions are wrappers that directly call these vulnerable functions, thus propagating the vulnerability. Since the ncurses-rs repository is archived and unmaintained, no patch is available.

Vulnerable functions

inchnstr
src/lib.rs
The function reads from the screen into a buffer `s`. If no null terminator is found within the read data, it sets the length of the vector `s` to its capacity. This capacity can be larger than the number of bytes actually written by the underlying C function `ll::inchnstr`, leading to the exposure of uninitialized memory.
inchstr
src/lib.rs
The function reads from the screen into a buffer `s`. If no null terminator is found, it sets the length of the vector `s` to its capacity, which may be larger than the data read, exposing uninitialized memory.
innstr
src/lib.rs
The function reads from the screen into a string `s`. If no null terminator is found, it sets the length of the string's underlying vector to its capacity. This can expose uninitialized memory if the capacity is greater than the bytes read.
mvwinchnstr
src/lib.rs
This function moves the cursor and then reads from the screen. It suffers from the same vulnerability as `inchnstr`, setting the buffer length to its capacity and exposing uninitialized memory when no null terminator is found.
mvwinchstr
src/lib.rs
Similar to `inchstr`, this function moves the cursor and then reads from the screen, setting the buffer length to its capacity and exposing uninitialized memory if no null terminator is present.
mvwinnstr
src/lib.rs
This function moves the cursor and then reads into a string. It shares the same vulnerability as `innstr`, setting the buffer length to its capacity and exposing uninitialized memory.
mvwinstr
src/lib.rs
This function moves the cursor and reads into a string, setting the buffer length to its capacity and exposing uninitialized memory if no null terminator is found.
winchnstr
src/lib.rs
This function reads from a window into a buffer and is vulnerable in the same way as `inchnstr`, exposing uninitialized memory by setting the buffer length to its capacity.
winchstr
src/lib.rs
This function reads from a window into a buffer and is vulnerable in the same way as `inchstr`, exposing uninitialized memory.
winnstr
src/lib.rs
This function reads from a window into a string and is vulnerable in the same way as `innstr`, exposing uninitialized memory.
winstr
src/lib.rs
This function reads from a window into a string and is vulnerable in the same way as `mvwinstr`, exposing uninitialized memory.
wgetnstr
src/lib.rs
The function sets the length of `buff` to its capacity before the read. If the read operation writes fewer bytes than the capacity and no null terminator is present, the subsequent `.iter()` will read from uninitialized memory.

WAF Protection Rules

WAF Rule

Multipl* strin* r***in* *un*tions *xpos* uniniti*liz** m*mory *y s*ttin* l*n*t* to **p**ity w**n no null t*rmin*tor is *oun*. T*is *llows r***in* uniniti*liz** m*mory w*i** m*y *ont*in s*nsitiv* **t* *rom pr*vious *llo**tions. T** n*urs*s-rs r*posi

Reasoning

T** vuln*r**ility li*s in * *ommon p*tt*rn **ross multipl* strin*-r***in* *un*tions in t** `n*urs*s-rs` li*r*ry. T**s* *un*tions *llo**t* * *u***r (*it**r * `V**<**typ*>` or * `Strin*`) *n* p*ss it to *n un**rlyin* * *un*tion *rom t** n*urs*s li*r*ry