RUSTSEC-2025-0106: 
Rust vulnerability analysis and mitigation

RUSTSEC-2025-0106 is a potential undefined behavior vulnerability in the index_of_ptr function of the orx-pinned-vec crate. The issue was discovered and reported on October 1, 2025, affecting version 3.10.0 and earlier versions of the crate. The vulnerability occurs when the function is called with an empty slice, causing an underflow in pointer arithmetic (GitHub Issue).

The vulnerability exists in the index_of_ptr function within orx-pinned-vec/src/utils/slice.rs. When called with an empty slice, the line ptr.add(slice.len() - 1) causes an underflow since slice.len() is 0. According to Rust's safety rules, creating a pointer with such a massive offset results in undefined behavior. This violates the core guarantee that a safe function cannot cause UB on any input, as confirmed through Miri testing (GitHub Issue).

The vulnerability can lead to undefined behavior in programs using the affected function with empty slices. Since this is a safe function that can trigger undefined behavior, it represents a serious soundness hole in the Rust type system's safety guarantees (GitHub Issue).

A suggested fix is to add a check at the beginning of the function: if slice.is_empty() { return None; } to handle empty slices before performing pointer arithmetic (GitHub Issue).