GHSA-GGXF-9F6J-W742: Use-After-Free in Diesel SQLite Deserialization
Vulnerability ID: GHSA-GGXF-9F6J-W742
CVSS Score: 5.3
Published: 2026-07-16
A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.
TL;DR
A Use-After-Free vulnerability in diesel < 2.3.10 allows memory corruption when performing operations on a SQLite connection after its raw database buffer has been dropped.
Technical Details
- CWE ID: CWE-416
- Attack Vector: Network / Local
- CVSS v4.0: 5.3
- Impact: Memory Corruption, Process Crash, Potential State Manipulation
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- diesel crate
-
diesel: < 2.3.10 (Fixed in:
2.3.10)
Code Analysis
Commit: 1bc2ea4
Fix a potential use-after-free in SqliteConnection::deserialize_readonly_database_from_buffer
Mitigation Strategies
- Upgrade the diesel dependency to version 2.3.10 or newer.
- Manually manage buffer lifetimes to ensure the database backing buffer outlasts the connection object.
- Enable AddressSanitizer (ASAN) in CI pipelines to detect temporal safety issues in Rust/C boundaries.
Remediation Steps:
- Open Cargo.toml and locate the diesel dependency declaration.
- Update the version field to 2.3.10 or greater.
- Run 'cargo update -p diesel' to resolve the locked version in Cargo.lock.
- Recompile and run the application's test suite under ASAN to verify the fix.
References
Read the full report for GHSA-GGXF-9F6J-W742 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)