GHSA-f95p-4cv5-8w8x: 
Rust vulnerability analysis and mitigation

A low severity vulnerability was discovered in the linkme Rust package affecting versions prior to 0.3.24. The vulnerability (GHSA-f95p-4cv5-8w8x) was published and reviewed on December 4, 2024. The issue allows the population of a DistributedSlice of type T with elements of arbitrary types that can coerce to T, potentially leading to type safety violations (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a type checking bypass in the DistributedSlice implementation. Specifically, DistributedSlice::private_typecheck(self, T) accepts arguments that can be coerced to the target type, such as allowing &&str elements in a slice declared as [&str]. This occurs because &&str can coerce to &str through deref coercion (GitHub Issue).

The vulnerability could lead to potential memory safety issues. In a demonstrated proof of concept, the flaw could allow access to invalid memory ranges, with one example showing potential access to 140 TB of memory space (GitHub Issue).

The vulnerability has been patched in version 0.3.24 of the linkme package. The fix implements stricter typechecking for distributed slice elements that prevents coercion, requiring the element's type to be a subtype of the slice's declared element type (RustSec Advisory).