CVE-2023-53161
Description
The buffered-reader crate before 1.1.5 for Rust allows out-of-bounds array access and a panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The `buffered-reader` crate before version 1.1.5 allows out-of-bounds array access on attacker-controlled input, causing a panic and denial of service.
Vulnerability
Description
The Rust buffered-reader crate, versions prior to 1.1.5 (specifically including releases before 1.0.2 and between 1.1.0 and 1.1.4), contains a memory safety bug. When processing attacker-controlled input, the crate attempts to read from an array index that is outside the valid bounds. Rust's built-in bounds checking detects this violation, causing the application to panic rather than allowing arbitrary memory access [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying crafted input to any application or library that uses the vulnerable buffered-reader crate for parsing. No authentication or special privileges are required; the attacker only needs a way to deliver the malicious data to the parser. This could be over the network (e.g., via a file upload, message injection, or data stream) or locally, depending on how the library is integrated [2][4].
Impact
Successful exploitation leads to a denial of service (DoS): the application crashes due to an unhandled panic. The advisory from Sequoia-PGP explicitly notes that memory corruption is not possible because Rust's safety guarantees prevent out-of-bounds write access, so the primary impact is availability [2][4].
Mitigation
The issue is fixed in buffered-reader versions 1.0.2, 1.1.5, and all 1.2.x releases [2]. Users should update to at least one of these patched versions. No workarounds are provided. The vulnerability is tracked under CVE-2023-53161 and GHSA-29mf-62xx-28jq [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
buffered-readercrates.io | < 1.0.2 | 1.0.2 |
buffered-readercrates.io | >= 1.1.0, < 1.1.5 | 1.1.5 |
Affected products
2- Range: <1.1.5
- sequoia-pgp/buffered-readerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-25mx-8f3v-8wh7ghsaADVISORY
- github.com/advisories/GHSA-29mf-62xx-28jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-53161ghsaADVISORY
- gitlab.com/sequoia-pgp/sequoia/-/blob/main/buffered-reader/NEWSghsaWEB
- gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader%2Fv1.0.2ghsaWEB
- gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader%2Fv1.1.5ghsaWEB
- lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.org/thread/SN2E3QRT4DMQ5JNEK6VIN6DJ5SH766DIghsaWEB
- rustsec.org/advisories/RUSTSEC-2023-0039.htmlghsaWEB
- crates.io/crates/buffered-readermitre
- lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.org/thread/SN2E3QRT4DMQ5JNEK6VIN6DJ5SH766DI/mitre
News mentions
0No linked articles in our index yet.