GHSA-xqjr-wfx3-gmxv: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-xqjr-wfx3-gmxv) affects the array-queue Rust crate versions 0.3.0 through 0.3.3, discovered and disclosed in September 2025. The issue resides in the ArrayQueue::push_front method, which exhibits a panic-safety vulnerability that could lead to memory corruption. This moderate severity vulnerability (CVSS score 6.9) affects the safe API implementation of the array queue data structure (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a design flaw in the ArrayQueue::push_front implementation where the queue's start index is updated before initializing the slot for the newly pushed element. The method receives an argument that implements the Clone trait, which is intended to be cloned and pushed into the queue. If the clone operation panics during initialization, the structure remains in an inconsistent state with an advanced start index pointing to an uninitialized slot. This vulnerability is classified under CWE-665 (Improper Initialization) and has been assigned a CVSS v4.0 score of 6.9 with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When the ArrayQueue object is dropped following a panic in the clone operation, its destructor incorrectly treats the uninitialized slot as initialized and attempts to drop it. This leads to an attempt to deallocate uninitialized memory, potentially causing memory corruption and program crashes (GitHub Issue).

The vulnerability has been fixed in version 0.4.0 of the array-queue crate. The fix modifies the ArrayQueue::push_front implementation to ensure that the queue's start index is updated after the cloned element is successfully pushed, maintaining proper initialization order. Users are strongly recommended to upgrade to version 0.4.0 or later (RustSec Advisory).