GHSA-77h3-w9rx-hj3q: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-77h3-w9rx-hj3q) affects the scratchpad crate versions 1.3.1 and earlier, discovered and disclosed on August 14, 2025. The issue involves the public trait scratchpad::Tracking, specifically its get and set methods, which interact with unsafe code regions while not being marked as unsafe themselves. This oversight allows users to implement the trait safely while potentially causing memory corruption (GitHub Advisory, RustSec Advisory).

The vulnerability stems from the Tracking trait's methods (get and set) that influence the computation of raw pointer addresses within unsafe code regions. The trait's implementation can affect bufferend calculations and memory allocations in the Marker::allocatearrayuninitialized method, which is called by Marker::allocateslice_copy. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Moderate) with the vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P (GitHub Advisory).

When exploited, this vulnerability can lead to heap buffer overflows and arbitrary memory access, even through seemingly safe implementations of the Tracking trait. The impact primarily affects the availability of the system, with potential for memory corruption (GitHub Advisory, RustSec Advisory).

Currently, there are no patched versions available. The crate is in maintenance mode awaiting a cleanup to reduce the unsafe code area. The suggested fix is to mark the Tracking trait as unsafe, since the library's internal unsafe code relies on the correctness of its implementations (RustSec Advisory).