Moderate severityOSV Advisory· Published Jan 26, 2026· Updated Apr 20, 2026
Gix-date: gix-date: undefined behavior due to invalid string generation
CVE-2026-0810
Description
A flaw was found in gix-date. The gix_date::parse::TimeBuf::as_str function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the TimeBuf component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gix-datecrates.io | < 0.12.0 | 0.12.0 |
Affected products
1- Range: cargo-smart-release-v0.1.0, cargo-smart-release-v0.2.0, cargo-smart-release-v0.2.1, …
Patches
176376ef5e97cMerge pull request #2306 from GitoxideLabs/copilot/fix-issue-2305-test-example
2 files changed · +6 −14
gix-date/src/parse/mod.rs+1 −11 modified@@ -43,22 +43,12 @@ impl TimeBuf { } } -impl std::io::Write for TimeBuf { - fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> { - self.buf.write(buf) - } - - fn flush(&mut self) -> std::io::Result<()> { - self.buf.flush() - } -} - impl Time { /// Serialize this instance into `buf`, exactly as it would appear in the header of a Git commit, /// and return `buf` as `&str` for easy consumption. pub fn to_str<'a>(&self, buf: &'a mut TimeBuf) -> &'a str { buf.clear(); - self.write_to(buf) + self.write_to(&mut buf.buf) .expect("write to memory of just the right size cannot fail"); buf.as_str() }
gix-date/tests/time/mod.rs+5 −3 modified@@ -109,13 +109,15 @@ mod write_to { #[test] fn max() -> gix_testtools::Result { - let mut buf = TimeBuf::default(); + let mut buf = Vec::new(); Time::MAX.write_to(&mut buf)?; assert_eq!(Time::MAX.size(), 25, "The largest possible serialized size"); let expected = "9223372036854775807 +9959"; - assert_eq!(buf.as_str(), expected); - assert_eq!(buf.as_str().len(), Time::MAX.size()); + assert_eq!(buf.as_bstr(), expected); + assert_eq!(buf.len(), Time::MAX.size()); + + let mut buf = TimeBuf::default(); assert_eq!(Time::MAX.to_str(&mut buf), expected); Ok(()) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6mw6-mj76-grwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0810ghsaADVISORY
- access.redhat.com/security/cve/CVE-2026-0810ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/GitoxideLabs/gitoxide/commit/76376ef5e97c63e108db0c9fe2eb096f4bfe70f7ghsaWEB
- github.com/GitoxideLabs/gitoxide/issues/2305ghsaWEB
- github.com/GitoxideLabs/gitoxide/pull/2306ghsaWEB
- rustsec.org/advisories/RUSTSEC-2025-0140.htmlghsaWEB
- crates.io/crates/gix-datemitre
News mentions
0No linked articles in our index yet.