Intel

AIKIDO-2026-176428

zlib-rs is vulnerable to Undefined Behavior

Undefined Behavior Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

15

Low Risk

This Affects:

RUSTzlib-rs
0.4.0 - 0.6.5
Fixed in 0.6.6
Are you affected? Scan for Free

TL;DR

Affected versions of the zlib-rs crate expose an unsound lifetime on internal WeakSliceMut and WeakArrayMut helpers. Their as_mut_slice() methods returned &'a mut [T] while relinquishing mutable access to the wrapper, which is prone to lifetime extension bugs when those slices are used during deflate hash-chain updates in hash_calc.rs. That undefined behavior can corrupt memory during compression. Version 0.6.6 fixes the return type to &mut [T] and adjusts hash calculation to avoid overlapping borrows.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

zlib-rs is vulnerable to Undefined Behavior in versions 0.4.0 - 0.6.5.

How to fix this

Upgrade the zlib-rs library to the patch version.