Home

Description

A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-26 | Updated 2026-02-13 | Assigner redhat




MEDIUM: 6.8CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Problem types

Incorrect Calculation of Multi-Byte String Length

Product status

Default status
unaffected

Any version before 0.12.0
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-01-04:Reported to Red Hat.
2025-12-29:Made public.

References

github.com/GitoxideLabs/gitoxide/issues/2305 exploit

access.redhat.com/security/cve/CVE-2026-0810 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2427057 (RHBZ#2427057) issue-tracking

crates.io/crates/gix-date

github.com/GitoxideLabs/gitoxide/issues/2305

rustsec.org/advisories/RUSTSEC-2025-0140.html

cve.org (CVE-2026-0810)

nvd.nist.gov (CVE-2026-0810)

Download JSON