GHSA-xcpm-76hf-c9cc: 
Rust Análisis y mitigación de vulnerabilidades

The vulnerability (GHSA-xcpm-76hf-c9cc) affects the borrowcksacrifices Rust crate, specifically in the anyasu8slice function. Discovered and reported on October 15, 2025, and officially published on October 22, 2025, this vulnerability exposes uninitialized memory when handling types containing padding bytes. The issue affects versions prior to 0.2.0 of the borrowck_sacrifices crate (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the safe function anyasu8slice creating byte slices that reference uninitialized memory when used with types containing padding bytes. The function utilizes slice::fromrawparts to create a &[u8] covering the entire size of a type, including padding bytes. This violates Rust's safety contract as fromraw_parts requires all bytes to be properly initialized, but padding bytes in structs are not guaranteed to be initialized. The vulnerability has been assigned a CVSS v4.0 score of 2.0 (Low severity) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P and is classified as CWE-824 (Access of Uninitialized Pointer) (GitHub Advisory).

The vulnerability leads to undefined behavior when accessing struct padding bytes, potentially exposing uninitialized memory. This can result in memory safety violations and potential security implications when working with structured data types that contain padding (RustSec Advisory).

The vulnerability has been patched in version 0.2.0 of the borrowck_sacrifices crate. Users are advised to upgrade to this version or later to address the issue. For those unable to upgrade immediately, the suggested workaround is to modify the function signature to be explicitly unsafe, making the API contract clear about its potential dangers (RustSec Advisory).