GHSA-j39j-6gw9-jw6h: git2 has potential undefined behavior when dereferencing Buf struct

February 4, 2026

If the Buf struct is dereferenced immediately after calling new() or default() on the Buf struct, a null pointer is passed to the unsafe function slice::from_raw_parts. According to the safety section documentation of the function, data must be non-null and aligned even for zero-length slices or slices of ZSTs. Thus, passing a null pointer will lead to undefined behavior.

References

github.com/advisories/GHSA-j39j-6gw9-jw6h
github.com/rust-lang/git2-rs
github.com/rust-lang/git2-rs/commit/9e160f15bd056f82143109bb330573381e5de719
github.com/rust-lang/git2-rs/issues/1211
github.com/rust-lang/git2-rs/pull/1213
rustsec.org/advisories/RUSTSEC-2026-0008.html

Code Behaviors & Features

Detect and mitigate GHSA-j39j-6gw9-jw6h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →