rustsec-2026-0172
Vulnerability from osv_rustsec
Published
2026-06-05 12:00
Modified
2026-06-05 08:35
Summary
Possible use after free when deserializing a SQLite database via `SqliteConnection::deserialize_readonly_database`
Details

Diesel allows loading a SQLite database from a byte buffer, represented as &[u8], at runtime via the SqliteConnection::deserialize_readonly_database function. In previous versions of Diesel, this buffer was passed directly to libsqlite3. Since libsqlite3 requires the buffer to remain alive for as long as the database connection is open and Diesel did not ensure this as part of its safe API, callers of SqliteConnection::deserialize_readonly_database could drop the buffer prematurely. This prematurely drop caused libsqlite3 to operate on freed memory.

This vulnerability affects users of SqliteConnection::deserialize_readonly_database who drop the buffer passed to the function before they drop the database connection.

Mitigation

The preferred mitigation to the outlined problem is to update to Diesel version 2.3.10 or newer, which includes a fix for the problem. Alternatively users need to take to keep the buffer alive until the connection is dropped.

Resolution

Diesel now stores a copy of the buffer inside of the SqliteConnection object itself to keep it alive as long as the underlying libsqlite3 connection exists.

References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": "unsound"
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "diesel::sqlite::SqliteConnection::deserialize_readonly_database"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "diesel",
        "purl": "pkg:cargo/diesel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "2.3.10"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Diesel allows loading a SQLite database from a byte buffer, represented as `\u0026[u8]`, at runtime via the `SqliteConnection::deserialize_readonly_database` function. In previous versions of Diesel, this buffer was passed directly to libsqlite3. Since libsqlite3 requires the buffer to remain alive for as long as the database connection is open and Diesel did not ensure this as part of its safe API, callers of `SqliteConnection::deserialize_readonly_database` could drop the buffer prematurely. This prematurely drop caused libsqlite3 to operate on freed memory.\n\nThis vulnerability affects users of `SqliteConnection::deserialize_readonly_database` who drop the buffer passed to the function before they drop the database connection.\n\n## Mitigation\n\nThe preferred mitigation to the outlined problem is to update to Diesel version 2.3.10 or newer, which includes a fix for the problem. Alternatively users need to take to keep the buffer alive until the connection is dropped.\n\n## Resolution\n\nDiesel now stores a copy of the buffer inside of the `SqliteConnection` object itself to keep it alive as long as the underlying libsqlite3 connection exists.",
  "id": "RUSTSEC-2026-0172",
  "modified": "2026-06-05T08:35:31Z",
  "published": "2026-06-05T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/diesel"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0172.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/diesel-rs/diesel/commit/1bc2ea46d9840e8d9af844239d3c84f37fe7d84b"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Possible use after free when deserializing a SQLite database via `SqliteConnection::deserialize_readonly_database`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.