CVE-2026-0810: gix-date can create non-utf8 string with `TimeBuf::as_str`
(updated )
The function gix_date::parse::TimeBuf::as_str can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string.
The bug can be prevented by adding str::from_utf8 to the function TimeBuf::write.
References
- access.redhat.com/security/cve/CVE-2026-0810
- bugzilla.redhat.com/show_bug.cgi?id=2427057
- github.com/GitoxideLabs/gitoxide
- github.com/GitoxideLabs/gitoxide/commit/76376ef5e97c63e108db0c9fe2eb096f4bfe70f7
- github.com/GitoxideLabs/gitoxide/issues/2305
- github.com/GitoxideLabs/gitoxide/pull/2306
- github.com/advisories/GHSA-6mw6-mj76-grwc
- nvd.nist.gov/vuln/detail/CVE-2026-0810
- rustsec.org/advisories/RUSTSEC-2025-0140.html
Code Behaviors & Features
Detect and mitigate CVE-2026-0810 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →