RUSTSEC-2025-0049: 
Rust vulnerability analysis and mitigation

A memory corruption vulnerability was discovered in the scratchpad crate version 1.3.1 where custom implementations of the scratchpad::Tracking trait can lead to heap buffer overflow. The vulnerability was identified by the PursecLab security research team and reported on August 3, 2025. The issue stems from the Tracking trait not being marked as unsafe despite being used in unsafe code regions within the library (PursecLab Issue).

The vulnerability exists because the methods Tracking::capacity, Tracking::set and Tracking::get are invoked within unsafe regions of the library, but the Tracking trait itself is not marked as unsafe. This allows users to provide custom implementations that can trigger undefined behavior. The issue manifests specifically in the Marker::allocateslicecopy method which calls Marker::allocatearrayuninitialized, leading to potential memory corruption when user-defined Tracking implementations return incorrect values (PursecLab Issue).

When exploited, this vulnerability can cause heap buffer overflow, leading to memory corruption and potential arbitrary code execution. The issue can be triggered without using any unsafe code on the user side, making it particularly concerning as it violates Rust's memory safety guarantees (PursecLab Issue).

The proposed fix is to mark the Tracking trait as unsafe, since the library's internal unsafe code relies on the correctness of its implementations. This would properly signal to users that implementing this trait requires careful consideration of safety guarantees (PursecLab Issue).