GHSA-ff9q-rm55-q7qr: diesel-async may expose uninitialized padding bytes for MySQL temporal columns

May 7, 2026

diesel-async exposes uninitialized stack padding to safe code on every read of a MySQL DATE, TIME, DATETIME, or TIMESTAMP column. Reading that buffer is undefined behavior, and the leaked bytes can contain stale heap/stack contents, so this is both a soundness bug and a potential information-disclosure vector.

References

github.com/advisories/GHSA-ff9q-rm55-q7qr
github.com/diesel-rs/diesel_async
github.com/diesel-rs/diesel_async/commit/18f2c861c51b4a5f23a20bd749eba13737b9e4aa
github.com/diesel-rs/diesel_async/security/advisories/GHSA-ff9q-rm55-q7qr

Code Behaviors & Features

Detect and mitigate GHSA-ff9q-rm55-q7qr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →