rustsec-2026-0134
Vulnerability from osv_rustsec
Published
2026-04-24 12:00
Modified
2026-05-13 14:16
Summary
Unsound access to padding bytes while serializing date/time values using the Mysql backend
Details
Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their MYSQL_TIME type.
Diesel replicated this type as #[repr(C)] struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.
This vulnerability affects any user serializing date/time values using the Mysql backend.
Mitigation
The preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.
Resolution
Diesel now manually serializes the relevant data without accessing the padding bytes.
{
"affected": [
{
"database_specific": {
"categories": [],
"cvss": null,
"informational": "unsound"
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"diesel::serialize::ToSql\u003cDate,Mysql\u003e",
"diesel::serialize::ToSql\u003cDateTime,Mysql\u003e",
"diesel::serialize::ToSql\u003cTime,Mysql\u003e",
"diesel::serialize::ToSql\u003cTimestamp,Mysql\u003e"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "diesel",
"purl": "pkg:cargo/diesel"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "2.3.8"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [],
"database_specific": {
"license": "CC0-1.0"
},
"details": "Diesel relies on libmysqlclient for interacting with Mysql compatible databases. This library requires to provide date/time values according to the byte layout of their `MYSQL_TIME` type.\n\nDiesel replicated this type as `#[repr(C)]` struct, populated all the fields of this struct and then casted this value to an array of bytes. As this cast exposes padding bytes contained in this struct, this is undefined behaviour.\n\nThis vulnerability affects any user serializing date/time values using the Mysql backend.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.8 or newer, which includes fixes for the problem.\n\n## Resolution\n\nDiesel now manually serializes the relevant data without accessing the padding bytes.",
"id": "RUSTSEC-2026-0134",
"modified": "2026-05-13T14:16:31Z",
"published": "2026-04-24T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/diesel"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0134.html"
},
{
"type": "WEB",
"url": "https://github.com/diesel-rs/diesel/pull/5042"
}
],
"related": [],
"severity": [],
"summary": "Unsound access to padding bytes while serializing date/time values using the Mysql backend"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…