GHSA-xcpm-76hf-c9cc: 
Rust vulnerability analysis and mitigation

GHSA-xcpm-76hf-c9cc is a low severity vulnerability affecting the borrowcksacrifices Rust package versions prior to 0.2.0. The vulnerability was discovered and disclosed on October 22, 2025, impacting the anyasu8slice function which could expose uninitialized memory when used with types containing padding bytes (GitHub Advisory).

The vulnerability exists in the safe function anyasu8slice which uses slice::fromrawparts to create a &[u8] covering the entire size of a type, including padding bytes. According to Rust's documentation, fromraw_parts requires all bytes to be properly initialized, but padding bytes in structs are not guaranteed to be initialized. This violates the safety contract and causes undefined behavior (RustSec Advisory). The vulnerability has been assigned a CVSS score of 2.0 (Low) with the vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P (GitHub Advisory).

When exploited, this vulnerability can lead to the exposure of uninitialized memory when the function is used with types containing padding bytes. This primarily affects the availability of the system, though without direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 0.2.0 of the borrowck_sacrifices package. Users should upgrade to this version or later to address the security issue (RustSec Advisory).