GHSA-fp5x-7m4q-449f: Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer

October 21, 2025 (updated November 10, 2025)

The safe function create_ring_buffer allocates a buffer using Vec::with_capacity followed by set_len, creating a Box<[T]> containing uninitialized memory.

This leads to undefined behavior when functions like write_slices create typed slices (e.g., &mut [bool]) over the uninitialized memory, violating Rust’s validity invariants. The issue has been confirmed using Miri.

Fixed in version 0.2.2 by using resize_with to properly initialize the buffer with T::default(), adding a T: Default bound to ensure sound initialization.

References

github.com/advisories/GHSA-fp5x-7m4q-449f
github.com/ain1084/direct_ring_buffer
github.com/ain1084/direct_ring_buffer/issues/1
github.com/ain1084/direct_ring_buffer/pull/2
rustsec.org/advisories/RUSTSEC-2025-0105.html

Code Behaviors & Features

Detect and mitigate GHSA-fp5x-7m4q-449f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →