CVE-2026-0810
Invalid UTF-8 String Generation Vulnerability in gix-date TimeBuf
Publication date: 2026-01-26
Last updated on: 2026-02-26
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitoxidelabs | gix-date | to 0.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-135 | The product does not correctly calculate the length of strings that can contain wide or multi-byte characters. |
| CWE-682 | The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Rust crate gix-date, specifically in the function gix_date::parse::TimeBuf::as_str. The function is supposed to convert an internal buffer to a UTF-8 string, assuming the buffer contains only valid UTF-8 bytes. However, because the TimeBuf type allows arbitrary bytes to be written into its buffer, non-UTF-8 bytes can be introduced. The as_str function uses unsafe Rust code to convert the buffer to a string without validating UTF-8 correctness, which can result in strings containing invalid non-UTF-8 characters. This violates Rust's safety guarantees and leads to undefined behavior when these malformed strings are used. [1, 2, 3]
How can this vulnerability impact me? :
The vulnerability can cause undefined behavior in applications using the affected gix-date crate. This may lead to application instability, crashes, or other unforeseen consequences due to the creation and use of invalid non-UTF-8 strings. Since the issue violates internal safety invariants, it can potentially result in memory corruption or other serious runtime errors. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the gix-date crate to version 0.12.0 or later, where the issue has been fixed by adding UTF-8 validation using str::from_utf8 in the TimeBuf::write function. This ensures that only valid UTF-8 strings are produced, preventing undefined behavior caused by invalid non-UTF8 characters. [1, 2]