Use of Uninitialized Resource Affecting static-alloc package, versions >=0.2.2 <0.2.6

Q: How to fix?

Upgrade static-alloc to version 0.2.6 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-STATICALLOC-10946359
published25 Jul 2025
disclosed11 Jul 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 11 Jul 2025

CWE-908 (opens in a new tab)

How to fix?

Upgrade static-alloc to version 0.2.6 or higher.

Overview

static-alloc is a bump allocator on static memory for the alloc-traits crate.

Affected versions of this package are vulnerable to Use of Uninitialized Resource via the MemBump::new function. An attacker can trigger undefined behavior and potentially cause assertion failures or violate internal invariants by invoking allocation methods on the resulting object, which may read uninitialized memory.

Workaround

This vulnerability can be mitigated by calling MemBump::reset immediately after allocation to manually initialize the counter.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None