CVE-2026-0810
Unknown Unknown - Not Provided
Invalid UTF-8 String Generation Vulnerability in gix-date TimeBuf

Publication date: 2026-01-26

Last updated on: 2026-02-26

Assigner: Red Hat, Inc.

Description
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0810
EUVD
EUVD-2026-4669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitoxidelabs gix-date to 0.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
CWE-135 The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Rust crate gix-date, specifically in the function gix_date::parse::TimeBuf::as_str. The function is supposed to convert an internal buffer to a UTF-8 string, assuming the buffer contains only valid UTF-8 bytes. However, because the TimeBuf type allows arbitrary bytes to be written into its buffer, non-UTF-8 bytes can be introduced. The as_str function uses unsafe Rust code to convert the buffer to a string without validating UTF-8 correctness, which can result in strings containing invalid non-UTF-8 characters. This violates Rust's safety guarantees and leads to undefined behavior when these malformed strings are used. [1, 2, 3]

Impact Analysis

The vulnerability can cause undefined behavior in applications using the affected gix-date crate. This may lead to application instability, crashes, or other unforeseen consequences due to the creation and use of invalid non-UTF-8 strings. Since the issue violates internal safety invariants, it can potentially result in memory corruption or other serious runtime errors. [1, 2, 3]

Mitigation Strategies

To mitigate this vulnerability, update the gix-date crate to version 0.12.0 or later, where the issue has been fixed by adding UTF-8 validation using str::from_utf8 in the TimeBuf::write function. This ensures that only valid UTF-8 strings are produced, preventing undefined behavior caused by invalid non-UTF8 characters. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0810. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart