GHSA-5qv7-j6w5-fr4m: imageproc has fragile bounds check when sampling from image

May 7, 2026

A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and ‘dimension - 1’. This would not protect against malicious inputs that could overflow the addition. Following the tricked bounds check, the image could then be sampled at multiple differently calculated coordinates that exceeded the bounds.

References

github.com/advisories/GHSA-5qv7-j6w5-fr4m
github.com/image-rs/imageproc
rustsec.org/advisories/RUSTSEC-2026-0115.html

Code Behaviors & Features

Detect and mitigate GHSA-5qv7-j6w5-fr4m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →