Skip to content

chore(deps): update rust crate memmap2 to v0.9.11 [security]#203

Merged
27Bslash6 merged 1 commit into
mainfrom
renovate/crate-memmap2-vulnerability
Jun 26, 2026
Merged

chore(deps): update rust crate memmap2 to v0.9.11 [security]#203
27Bslash6 merged 1 commit into
mainfrom
renovate/crate-memmap2-vulnerability

Conversation

@cachekit-renovate-bot

@cachekit-renovate-bot cachekit-renovate-bot Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
memmap2 workspace.dependencies patch 0.9.100.9.11

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Unchecked pointer offset in crate memmap2

RUSTSEC-2026-0186

More information

Details

Affected versionf of memmap2 did not perform enough validation on the offset and len parameters of
Mmap::[unchecked_]advise_range(),
MmapMut::[unchecked_]advise_ranage()
and MmapMut::flush[_async]_range().

This can cause undefined behavior due to invalid values being passed to pointer::offset() and pointer::add()
when passing an out-of-bounds range to any of the affected functions.

The flaw was corrected in commit [cee7cf0] and released in version 0.9.11.

The invalid pointer is not dereferenced,
but it is passed to the madvise and msync syscalls and their Windows equivalents.

[cee7cf0] https://github.com/RazrFalcon/memmap2-rs/pull/170/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).

Release Notes

RazrFalcon/memmap2-rs (memmap2)

v0.9.11

Compare Source

Fixed
  • Fix unchecked pointer arithmatic in advice_range, unchecked_advise_range, flush_range and flush_async_range.
Changed
  • Bump the MSRV from 1.63 to 1.65.

Configuration

📅 Schedule: (in timezone Australia/Sydney)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@cachekit-renovate-bot cachekit-renovate-bot Bot added dependencies Pull requests that update a dependency file security Security vulnerabilities or hardening labels Jun 22, 2026
@27Bslash6 27Bslash6 merged commit 5a77bd8 into main Jun 26, 2026
31 checks passed
@27Bslash6 27Bslash6 deleted the renovate/crate-memmap2-vulnerability branch June 26, 2026 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Security vulnerabilities or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@27Bslash6