Skip to content

chore(deps): update rust crate memmap2 to v0.9.11 [security]#203

Merged
27Bslash6 merged 1 commit into
mainfrom
renovate/crate-memmap2-vulnerability
Jun 26, 2026
Merged

chore(deps): update rust crate memmap2 to v0.9.11 [security]#203
27Bslash6 merged 1 commit into
mainfrom
renovate/crate-memmap2-vulnerability

Conversation

@cachekit-renovate-bot

@cachekit-renovate-bot cachekit-renovate-bot Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
memmap2 workspace.dependencies patch 0.9.100.9.11

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Unchecked pointer offset in crate memmap2

RUSTSEC-2026-0186

More information

Details

Affected versionf of memmap2 did not perform enough validation on the offset and len parameters of
Mmap::[unchecked_]advise_range(),
MmapMut::[unchecked_]advise_ranage()
and MmapMut::flush[_async]_range().

This can cause undefined behavior due to invalid values being passed to pointer::offset() and pointer::add()
when passing an out-of-bounds range to any of the affected functions.

The flaw was corrected in commit [cee7cf0] and released in version 0.9.11.

The invalid pointer is not dereferenced,
but it is passed to the madvise and msync syscalls and their Windows equivalents.

[cee7cf0] https://github.com/RazrFalcon/memmap2-rs/pull/170/changes/cee7cf03a9ee095982a3c37b7aac8e3f68f1a00c

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Release Notes

RazrFalcon/memmap2-rs (memmap2)

v0.9.11

Compare Source

Fixed
  • Fix unchecked pointer arithmatic in advice_range, unchecked_advise_range, flush_range and flush_async_range.
Changed
  • Bump the MSRV from 1.63 to 1.65.

Configuration

📅 Schedule: (in timezone Australia/Sydney)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@cachekit-renovate-bot cachekit-renovate-bot Bot added dependencies Pull requests that update a dependency file security Security vulnerabilities or hardening labels Jun 22, 2026
@27Bslash6 27Bslash6 merged commit 5a77bd8 into main Jun 26, 2026
31 checks passed
@27Bslash6 27Bslash6 deleted the renovate/crate-memmap2-vulnerability branch June 26, 2026 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file security Security vulnerabilities or hardening

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant