GHSA-h5j3-crg5-8jqm: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-h5j3-crg5-8jqm) affects the orx-pinned-vec Rust crate versions prior to 3.21.0, discovered and disclosed on October 21, 2025. The issue resides in the safe function index_of_ptr which exhibits undefined behavior when called with empty slices. This vulnerability affects the memory safety guarantees of Rust programs using the affected versions of the crate (GitHub Advisory, RustSec Advisory).

The vulnerability occurs in the index_of_ptr function when processing empty slices. The problematic line ptr.add(slice.len() - 1) causes an integer underflow when slice.len() is 0, resulting in the creation of a pointer with a massive offset. According to Rust's safety rules, creating such a pointer constitutes immediate undefined behavior, even without dereferencing it. The vulnerability is classified with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-191 (Integer Underflow). The issue has been assigned a CVSS v4.0 score of 2.0 (Low severity) (GitHub Advisory).

The vulnerability can lead to undefined behavior in Rust programs using the affected versions of orx-pinned-vec, particularly when processing empty slices. This could potentially result in memory corruption or program crashes, though the impact is considered low as it requires specific conditions to trigger (GitHub Advisory).

The vulnerability has been fixed in version 3.21.0 of orx-pinned-vec. The fix replaces the problematic pointer arithmetic with a safer method using slice.as_ptr_range().contains() to check if the pointer is within the slice's bounds. Users should upgrade to version 3.21.0 or later to address this issue (GitHub PR).