—

RUSTSEC-2026-0183

Potential undefined behavior when calling Remote::list()

Details

When calling `Remote::list()` for a remote of a git repository, when that remote does not advertise any references, git2 passes a null pointer to the unsafe function `slice::from_raw_parts()`. Based on the safety section documentation of function, data must be non-null even for slices of length zero. Thus, the use of a null pointer leads to undefined behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

crates.io / git2

Introduced in: 0.0.0-0 Fixed in: 0.21.0

Upgrade git2 to 0.21.0 or newer (ecosystem crates.io).

References

https://crates.io/crates/git2 [PACKAGE]
https://rustsec.org/advisories/RUSTSEC-2026-0183.html [ADVISORY]
https://github.com/rust-lang/git2-rs/pull/1250 [WEB]